NAV

Hacker Reference

The following section contains a complete reference of all the objects that can be returned through the API. Objects that have been explained earlier in this documentation are not included. The objects in this section are never top level resources by themselves and will only be returned as sub resources.

All objects are made up of an id and a type attribute. With those, additional attributes and relationships can be specified. An example how the data schema looks like, take a look at the response structure or the response object. Additional reading can be done at jsonapi.org.

activity

{
  "id": "string",
  "type": "string",
  "attributes": {
    "report_id": "string",
    "message": "string",
    "internal": true,
    "created_at": "2019-08-24T14:15:22Z",
    "updated_at": "2019-08-24T14:15:22Z"
  },
  "relationships": {
    "actor": {
      "data": {}
    },
    "attachments": {
      "data": [
        {
          "id": "1337",
          "type": "attachment",
          "attributes": {
            "expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
            "created_at": "2016-02-02T04:05:06.000Z",
            "file_name": "root.rb",
            "content_type": "text/x-ruby",
            "file_size": 2871
          }
        }
      ]
    }
  }
}

These objects represent an action that was performed on a report. Activities come in many sub types that can have additional attributes.

Attributes

Name Type Required Description
id string true The unique ID of the activity.
type string true Indicates what kind of activity it is.
attributes object true none
» report_id string false The report associated with the activity.
» message string¦null true The comment associated with the activity. May be updated through the
HackerOne interface. Markdown is not parsed.
» internal boolean true Indicates if this activity can only be read by Program users
and external users that were invited to the report.
» created_at string(date-time) true The date and time the object was created. Formatted according
to ISO 8601.
» updated_at string(date-time) true The date and time the object was updated. Formatted according
to ISO 8601.
relationships object false none
» actor object false The author of the activity.
»» data object false none

oneOf - discriminator: user.type

Name Type Required Description
»»» anonymous user false User objects represent accounts on HackerOne. These objects are mostly referenced
when someone performed an action using that account. All different actors on the
platform, hackers, API users, and program users, have a user account.

xor

Name Type Required Description
»»» anonymous program false A program object represents a disclosure program or bug bounty program on the
platform. When a user reports a bug to a program, this is
the object they interact with. Behind a program, there can be multiple users
that are part of the program. Those users can interact with reports on behalf
of the program.

continued

Name Type Required Description
» attachments object false A list of Attachment objects added to the activity.
»» data [attachment] false [Users can add attachments when they file a report or when they interact with a
report. Attachments may contain dangerous proof of concepts and should be handled
with caution.
]

asset-enrichment-submission

{
  "id": "1",
  "type": "asset-enrichment-submission",
  "attributes": {
    "identifier": "hackerone.com",
    "description": "this is a description",
    "asm_tag_name": "tag1",
    "team_handle": "security",
    "status": "in_review",
    "created_at": "2022-10-02T04:05:06.000Z"
  }
}

An asset enrichment submission object contains the information that is associated with an asset enrichment submission

Attributes

Name Type Required Description
id string true The unique ID of the asset-enrichment-submission.
type string true none
attributes object true none
» identifier string true The identifier of the asset for which the enrichment is being submitted for.
» team_handle string true The handle of the team that the asset relates to.
» status string true The returned status field can be either “in_review” or “duplicate”. When the
status is duplicate it means the asset already has that specific tag.
» description string¦null false An optional description for additional information regarding the enrichment submission.
» asm_tag_name string true The name of the tag submitted.
» created_at string(date-time) true The date and time the asset enrichment submission was created. Formatted according
to ISO 8601.

Enumerated Values

Property Value
type asset-enrichment-submission

asset-tag

{
  "data": [
    {
      "id": "2",
      "type": "asset-tag",
      "attributes": {
        "name": "test"
      }
    }
  ],
  "links": {}
}

An asset tag object contains the information that is associated to an asset tag such as its name.

Attributes

Name Type Required Description
id string true The unique ID of the asset tag.
type string true none
attributes object false none
» name string true The name of the asset tag

Enumerated Values

Property Value
type asset-tag

attachment

{
  "id": "1337",
  "type": "attachment",
  "attributes": {
    "expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
    "created_at": "2016-02-02T04:05:06.000Z",
    "file_name": "root.rb",
    "content_type": "text/x-ruby",
    "file_size": 2871
  }
}

Users can add attachments when they file a report or when they interact with a report. Attachments may contain dangerous proof of concepts and should be handled with caution.

Attributes

Name Type Required Description
id string true The unique ID of the attachment.
type string true none
attributes object true none
» file_name string true The file name of the attachment.
» content_type string true The content type of the attachment. The content type is derived from the
contents and extension of the file.
» file_size integer true The file size of the attachment in bytes.
» expiring_url string true A URL to download the attachment. The URL will automatically expire after
60 minutes.
» created_at string(date-time) true The date and time the object was created. Formatted according
to ISO 8601.

Enumerated Values

Property Value
type attachment

bounty

{
  "id": "1337",
  "type": "bounty",
  "attributes": {
    "amount": "500.00",
    "bonus_amount": "50.00",
    "created_at": "2016-02-02T04:05:06.000Z"
  }
}

When a program pays a bounty to the hacker, a bounty object is created. A report may contain multiple bounty objects, one for each time a bounty was awarded. The hacker that reported the vulnerability is the user that received the bounty.

Attributes

Name Type Required Description
id string true The unique ID of the bounty.
type string true none
attributes object true none
» amount string¦null false Amount in USD.
» bonus_amount string¦null false Bonus amount in USD.
» awarded_amount string¦null false Amount in awarded currency.
» awarded_bonus_amount string¦null false Bonus amount in awarded currency.
» awarded_currency string¦null false The currency used to award the bounty and bonus.
» created_at string(date-time) true The date and time the object was created. Formatted according
to ISO 8601.

Enumerated Values

Property Value
type bounty

earning

{
  "id": 9,
  "type": "earning-bounty-earned",
  "attributes": {
    "amount": 150,
    "created_at": "2015-02-02T04:05:06.000Z"
  }
}

An earning object

Attributes

Name Type Required Description
id string false The unique ID of the earning object
type any false none
attributes object false none
» amount number true The amount that was earned
required any false none
relationships object false none
» team object false The program where the earning was earned.
»» data program false A program object represents a disclosure program or bug bounty program on the
platform. When a user reports a bug to a program, this is
the object they interact with. Behind a program, there can be multiple users
that are part of the program. Those users can interact with reports on behalf
of the program.
» bounty object false The bounty object for the earning, in the case of earning-bounty-earned type
»» data bounty false When a program pays a bounty to the hacker, a bounty object is created.
A report may contain multiple bounty objects, one for each time a bounty was
awarded. The hacker that reported the vulnerability is the user that received
the bounty.
» pentester object false The pentester object for the earning, in the case of earning-pentest-completed
»» data pentester false A pentester object represents a completion of a pentest by a user.
» report_retest_user object false The report_retest_user object for the earning, in the case of earning-retest-completed
»» data report_retest_user false none

Enumerated Values

Property Value
type earning-bounty-earned
type earning-retest-completed
type earning-checklist-check-completed
type earning-pentest-completed

group

{
  "id": "1337",
  "type": "group",
  "attributes": {
    "name": "Admin",
    "created_at": "2016-02-02T04:05:06.000Z",
    "permissions": [
      "user_management",
      "report_management"
    ]
  }
}

A group represents a set of users. A group is used to delegate permissions for the users in it. It can also be assigned to one or multiple reports.

Attributes

Name Type Required Description
id string true The unique ID of the group.
type string true none
attributes object true none
» name string true The name of the group.
» permissions [string] true The permissions of the group. Possible values are reward_management,
program_management, user_management, and
report_management.
» created_at string(date-time) true The date and time the object was created. Formatted according
to ISO 8601.

Enumerated Values

Property Value
type group

hacker-asset-submission

{
  "id": "1",
  "type": "hacker-asset-submission",
  "attributes": {
    "identifier": "hackerone.com",
    "description": "",
    "asset_type": "domain",
    "asm_tag_ids": [
      2,
      4,
      5
    ],
    "integrity_confidentiality": "low",
    "confidentiality_confidentiality": "medium",
    "availability_confidentiality": "high",
    "team_handle": "security",
    "status": "in_review",
    "created_at": "2022-10-02T04:05:06.000Z"
  }
}

An hacker asset submission object contains the information that is associated to a hacker asset submission

Attributes

Name Type Required Description
id string true The unique ID of the hacker-asset-submission.
type string true none
attributes object true none
» identifier string false The domain of the asset that is being submitted.
» team_handle string false The handle of the team that the asset is being submitted to.
» asset_type string true The type of asset you are submitting, currently only ‘domain’
» status string false The returned status field can be either “in_review” or “duplicate”. When the
status is duplicate it means the asset was either already known in the customers asset
inventory, or already submitted by someone else.
» description string¦null false An optional description for additional information regarding
how you found this asset and/or why you believe it belongs to
this team.
» asm_tag_ids array¦null false An array of asm_tag_ids submitted for the asset
» confidentiality_requirement string¦null false A CVSS environmental modifier that reweights Confidentiality Impact
of a vulnerability on this asset.
» integrity_requirement string¦null false A CVSS environmental modifier that reweights Integrity Impact of a
vulnerability on this asset.
» availability_requirement string¦null false A CVSS environmental modifier that reweights Availability Impact of
a vulnerability on this asset.
» created_at string(date-time) false The date and time the asset submission was created. Formatted according
to ISO 8601.

Enumerated Values

Property Value
type hacker-asset-submission
asset_type domain
confidentiality_requirement none
confidentiality_requirement low
confidentiality_requirement medium
confidentiality_requirement high
confidentiality_requirement null
integrity_requirement none
integrity_requirement low
integrity_requirement medium
integrity_requirement high
integrity_requirement null
availability_requirement none
availability_requirement low
availability_requirement medium
availability_requirement high
availability_requirement null
{
  "data": [
    {
      "id": "1337",
      "type": "some-object",
      "attributes": {
        "some_attribute": "some value"
      },
      "relationships": {
        "some_relationship": {
          "data": {
            "id": "1337",
            "type": "some-other-object",
            "attributes": {
              "some_attribute": "some value"
            }
          }
        }
      }
    }
  ],
  "links": {
    "prev": "https://api.hackerone.com/v1/hackers/reports/1336",
    "self": "https://api.hackerone.com/v1/hackers/reports/1337",
    "next": "https://api.hackerone.com/v1/hackers/reports/1338"
  }
}

When querying for multiple objects, the client needs to know how to query the next page. This kind of data is included in this attribute. In case there is no additional meta data, this attribute is not returned by the API.

Attributes

Name Type Required Description
attributes object false none
» prev string false This attribute contains a URL to the previous page or previous resource when
the resource or resources are paginated.
» self string false This attribute contains a URL to the resource itself when it can be queried as a
top level resource. At this moment, only report objects can
be queried as individual resources.
» next string false This attribute contains the URL to the next page or next resource when the resource
or resources are paginated.

payout

{
  "amount": 100,
  "paid_out_at": "2016-02-02T04:05:06.000Z",
  "reference": "<reference>",
  "payout_provider": "PayPal",
  "status": "sent"
}

A payout object

Attributes

Name Type Required Description
amount number false the amount in USD that was paid out
paid_out_at date-time false The date and time the payout was created. Formatted according
to ISO 8601.
reference string false none
payout_provider string false none
status string false none

pentest

{
  "id": "123",
  "type": "pentest",
  "attributes": {
    "name": "Name of the pentest",
    "description": "This is the description"
  }
}

A pentest object

Attributes

Name Type Required Description
id string false The unique ID of the pentest object
type string false none
attributes object false none
» name string false The name of the pentest
» description string false The description of the pentest
required any false none

Enumerated Values

Property Value
type pentest

pentester

{
  "id": "123",
  "type": "pentester",
  "attributes": {
    "completed_at": "2016-02-02T04:05:06.000Z",
    "award_amount": "4000.00"
  }
}

A pentester object represents a completion of a pentest by a user.

Attributes

Name Type Required Description
id string false The unique ID of the pentester object
type string false none
attributes object false none
» amount number true The amount that was earned by the user
» completed_at string(date-time) false The date and time the user completed the pentest. Formatted according
to ISO 8601.
required any false none
relationships object false none
» pentest object false The pentest object completed by the user
»» data pentest false A pentest object

Enumerated Values

Property Value
type pentester

program

{
  "id": "1337",
  "type": "program",
  "attributes": {
    "handle": "security"
  }
}

A program object represents a disclosure program or bug bounty program on the platform. When a user reports a bug to a program, this is the object they interact with. Behind a program, there can be multiple users that are part of the program. Those users can interact with reports on behalf of the program.

Attributes

Name Type Required Description
handle string false The unique handle of the program.
type string false none
attributes object false none
» handle string true The handle of the program. Handles are unique and scoped under the same
namespace as user usernames.
required any false none
relationships object false none
» structured_scopes object false The assets of the program, which is used to determine whether a security
vulnerability is within the scope of said program.
»» data [structured-scope] false [A StructuredScope object represents an asset defined by the program. The scope on a
report was initially provided by the hacker, but may be reviewed and corrected by
the program.
]

Enumerated Values

Property Value
type program

program_small

{
  "id": "1337",
  "type": "program",
  "attributes": {
    "handle": "security"
  }
}

A program object represents a disclosure program or bug bounty program on the platform. When a user reports a bug to a program, this is the object they interact with. Behind a program, there can be multiple users that are part of the program. Those users can interact with reports on behalf of the program.

Attributes

Name Type Required Description
id string true The unique ID of the program.
type string true none
attributes object true none
» handle string true The handle of the program. Handles are unique and scoped under the same
namespace as user usernames.

Enumerated Values

Property Value
type program

report

{
  "data": {
    "id": "1337",
    "type": "report",
    "attributes": {
      "title": "XSS in login form",
      "state": "new",
      "created_at": "2021-06-30T09:59:37.783Z",
      "vulnerability_information": "Soo much vuln\n\n## Impact\n\nSoo much impact",
      "triaged_at": null,
      "closed_at": null,
      "last_reporter_activity_at": "2021-06-30T09:59:38.294Z",
      "first_program_activity_at": "2021-06-30T09:59:38.294Z",
      "last_program_activity_at": "2021-06-30T09:59:38.294Z",
      "bounty_awarded_at": null,
      "swag_awarded_at": null,
      "disclosed_at": null,
      "reporter_agreed_on_going_public_at": null,
      "last_public_activity_at": "2021-06-30T09:59:38.294Z",
      "last_activity_at": "2021-06-30T09:59:38.294Z",
      "cve_ids": []
    },
    "relationships": {
      "reporter": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "hacker",
            "name": "Hacker",
            "disabled": false,
            "created_at": "2021-05-28T11:27:05.082Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            },
            "bio": "Hacker.",
            "website": "https://example.com",
            "location": "Hackland",
            "hackerone_triager": false
          }
        }
      },
      "program": {
        "data": {
          "id": "1337",
          "type": "program",
          "attributes": {
            "handle": "security",
            "created_at": "2013-01-01T00:00:00.000Z",
            "updated_at": "2021-06-25T10:04:59.678Z"
          }
        }
      },
      "severity": {
        "data": {
          "id": "74",
          "type": "severity",
          "attributes": {
            "rating": "high",
            "author_type": "User",
            "user_id": 1337,
            "created_at": "2021-06-30T09:59:38.029Z"
          }
        }
      },
      "swag": {
        "data": []
      },
      "attachments": {
        "data": []
      },
      "weakness": {
        "data": {
          "id": "1337",
          "type": "weakness",
          "attributes": {
            "name": "Cross-Site Request Forgery (CSRF)",
            "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
            "external_id": "cwe-352",
            "created_at": "2021-05-28T11:26:59.604Z"
          }
        }
      },
      "activities": {
        "data": []
      },
      "bounties": {
        "data": []
      },
      "summaries": {
        "data": []
      }
    }
  }
}

A report object contains the information that hackers submitted to a program, the interactions the program users had with the report, and all additional meta information like bounties, swag, and internal references.

Attributes

Name Type Required Description
id string true The unique ID of the report.
type string true none
attributes object true none
» title string true The title of the report. May be updated through the HackerOne interface.
» vulnerability_information string false The raw report's vulnerability information. Markdown is not parsed.
» state report-states true The report its current state. May be updated through the HackerOne interface or
the HackerOne API.
» created_at string(date-time) true The date and time the object was created. Formatted according
to ISO 8601.
» triaged_at string(date-time)¦null true The date and time the report was triaged. This attribute is reset when the
report was reopened after it was triaged. Formatted according to ISO 8601.
» closed_at string(date-time)¦null true The date and time the report was closed. This attribute is reset when the
report was reopened after it was closed. Formatted according to ISO 8601.
» last_reporter_activity_at string(date-time)¦null true The date and time that the most recent reporter activity was posted on the report.
Formatted according to ISO 8601.
» first_program_activity_at string(date-time)¦null true The date and time that the first program activity was posted on the report.
Formatted according to ISO 8601.
» last_program_activity_at string(date-time)¦null true The date and time that the most recent program activity was posted on the report.
Formatted according to ISO 8601.
» last_activity_at string(date-time)¦null true The date and time that the most recent activity was posted on the report.
Formatted according to ISO 8601.
» last_public_activity_at string(date-time)¦null true The date and time that the most recent public activity was posted on the report.
Formatted according to ISO 8601.
» bounty_awarded_at string(date-time)¦null true The date and time that the most recent bounty was awarded on the report.
Formatted according to ISO 8601.
» swag_awarded_at string(date-time)¦null true The date and time that the most recent swag was awarded on the report.
Formatted according to ISO 8601.
» disclosed_at string(date-time)¦null true The date and time the report was disclosed. Formatted according
to ISO 8601.
» reporter_agreed_on_going_public_at string(date-time)¦null true The date and time the reporter agreed for the public disclosure.
Formatted according to ISO 8601.
» cve_ids [string] false An assigned CVE id(s) for this report
relationships object true none
» program object true The program that received the report.
»» data program_small false A program object represents a disclosure program or bug bounty program on the
platform. When a user reports a bug to a program, this is
the object they interact with. Behind a program, there can be multiple users
that are part of the program. Those users can interact with reports on behalf
of the program.
» attachments object false A list of Attachment objects that the reporter added to the report.
»» data [attachment] false [Users can add attachments when they file a report or when they interact with a
report. Attachments may contain dangerous proof of concepts and should be handled
with caution.
]
» swag object false A list of Swag objects that were awarded to the reporter.
»» data [swag] false [Besides a financial reward, which is called a bounty, programs can
award swag. Report objects may contain multiple swag objects, one for each time
swag was awarded.
]
» weakness object false The Weakness object of the report provided by the reporter or team.
»» data weakness false A Weakness object represents the type of weakness the hacker submitted to a program.
The weakness was initially provided by the hacker, but may be reviewed and corrected
by the program.
» structured_scope object false The StructuredScope object of the report provided by the reporter or team.
»» data structured-scope false A StructuredScope object represents an asset defined by the program. The scope on a
report was initially provided by the hacker, but may be reviewed and corrected by
the program.
» severity object false The Severity object of the report provided by the reporter or team.
»» data severity false A severity object represents the severity of a report, if provided by the reporter or
a team member.
» reporter object false The user that created the report. This object contains the user's reputation, signal,
and impact metrics.
»» data user false User objects represent accounts on HackerOne. These objects are mostly referenced
when someone performed an action using that account. All different actors on the
platform, hackers, API users, and program users, have a user account.
» activities object false A list of Activity objects that can be used to generate a timeline of changes.
Activities are ordered by most recent first.
»» data [activity] false [These objects represent an action that was performed on a report.
Activities come in many sub types that can have additional attributes.
]
» bounties object false A list of Bounty objects that were awarded to the reporter.
»» data [bounty] false [When a program pays a bounty to the hacker, a bounty object is created.
A report may contain multiple bounty objects, one for each time a bounty was
awarded. The hacker that reported the vulnerability is the user that received
the bounty.
]
» summaries object false A list of Report Summary objects that were added to the report by the reporter
and team.
»» data [report-summary] false [Before a report is disclosed, the program, the HackerOne Triage team and hacker may add a summary. A
report can have only one summary per party. Unlike activities, summaries can
be edited through HackerOne indefinitely. Triage summaries are only
visible to team members and the HackerOne Triage team.
]

Enumerated Values

Property Value
type report

report-retest

{
  "id": "123",
  "type": "report-retest"
}

A report-retest object

Attributes

Name Type Required Description
id string false The unique ID of the report-retest object
type string false none
attributes object false none
required any false none
relationships object false none
» report object false The retested report
»» data report false A report object contains the information that hackers submitted to a program,
the interactions the program users had with the report, and all additional
meta information like bounties, swag, and internal references.

Enumerated Values

Property Value
type report-retest

report-retest-user

{
  "id": "1223",
  "type": "report-retest-user",
  "attributes": {
    "completed_at": "2016-02-02T04:05:06.000Z"
  }
}

A report-retest-user object represents a completion of a retest by a user.

Attributes

Name Type Required Description
id string false The unique ID of the report-retest-user object
type string false none
attributes object false none
» completed_at string(date-time) false The date and time the user completed the retest. Formatted according
to ISO 8601.
required any false none
relationships object false none
» report_retest object false The retest object completed by the user
»» data report-retest false A report-retest object

Enumerated Values

Property Value
type report-retest-user

report-states

"new"

Attributes

Name Type Required Description
report-states string false none

Enumerated Values

Property Value
report-states new
report-states pending-program-review
report-states triaged
report-states needs-more-info
report-states resolved
report-states not-applicable
report-states informative
report-states duplicate
report-states spam
report-states retesting

report-summary

{
  "id": "1337",
  "type": "report-summary",
  "attributes": {
    "content": "There was a cross-site scripting vulnerability in our login form.",
    "category": "team",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z"
  },
  "relationships": {
    "user": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Before a report is disclosed, the program, the HackerOne Triage team and hacker may add a summary. A report can have only one summary per party. Unlike activities, summaries can be edited through HackerOne indefinitely. Triage summaries are only visible to team members and the HackerOne Triage team.

Attributes

Name Type Required Description
id string true The unique ID of the report summary.
type string true none
attributes object true none
» content string true The raw summary of the report. Markdown is not parsed.
» category string true The involved party that wrote the summary.
» created_at string(date-time) true The date and time the object was created. Formatted according
to ISO 8601.
» updated_at string(date-time) true The date and time the object was last updated. Formatted according
to ISO 8601.
relationships object true none
» user object true The author that added the summary to the report.
»» data user false User objects represent accounts on HackerOne. These objects are mostly referenced
when someone performed an action using that account. All different actors on the
platform, hackers, API users, and program users, have a user account.

Enumerated Values

Property Value
type report-summary
category researcher
category team
category triage

severity

{
  "id": "57",
  "type": "severity",
  "attributes": {
    "rating": "high",
    "author_type": "User",
    "user_id": 1337,
    "created_at": "2016-02-02T04:05:06.000Z",
    "score": 8.7,
    "attack_complexity": "low",
    "attack_vector": "adjacent",
    "availability": "high",
    "confidentiality": "low",
    "integrity": "high",
    "privileges_required": "low",
    "user_interaction": "required",
    "scope": "changed"
  }
}

A severity object represents the severity of a report, if provided by the reporter or a team member.

Attributes

Name Type Required Description
id string true The unique ID of the severity.
type string true none
attributes object true none
» rating severity-ratings true The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score.
» author_type string true The involved party that provided the severity.
» user_id integer true The unique id of the user who created the object.
» score number¦null false The vulnerability score calculated from the Common Vulnerability Scoring System (CVSS).
Only present if CVSS metrics were provided.
» attack_vector string¦null false A CVSS metric that reflects the context by which vulnerability exploritation
is possible.
» attack_complexity string false A CVSS metric that describes the conditions beyond the attacker's control that must exist
in order to exploit the vulnerability.
» privileges_required string false A CVSS metric that describes the level of privileges an attacker must possess before
successfully exploiting the vulnerability.
» user_interaction string false A CVSS metric that captures the requirement for a user, other than the attacker, to
participate in the successful compromise of the vulnerability component.
» scope string¦null false A CVSS metric that determines if a successful attack impacts a component other than the
vulnerable component.
» confidentiality string false A CVSS metric that measures the impact to the confidentiality of the information resources
managed by a software component due to a successfully exploited vulnerability.
» integrity string false A CVSS metric that measures the impact to the integrity of a successfully exploited
vulnerability.
» availability string false A CVSS metric that measures the availability of the impacted component resulting from a
successfully exploited vulnerability.
» created_at string(date-time) true The date and time the object was created. Formatted according to ISO 8601.

Enumerated Values

Property Value
type severity
author_type User
author_type Team
attack_vector network
attack_vector adjacent
attack_vector local
attack_vector physical
attack_complexity low
attack_complexity high
privileges_required none
privileges_required low
privileges_required high
user_interaction none
user_interaction required
scope unchanged
scope changed
confidentiality none
confidentiality low
confidentiality high
integrity none
integrity low
integrity high
availability none
availability low
availability high

severity-ratings

"none"

The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score.

Attributes

Name Type Required Description
severity-ratings string false The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score.

Enumerated Values

Property Value
severity-ratings none
severity-ratings low
severity-ratings medium
severity-ratings high
severity-ratings critical

structured-scope

{
  "id": "57",
  "type": "structured-scope",
  "attributes": {
    "asset_identifier": "api.example.com",
    "asset_type": "URL",
    "confidentiality_requirement": "high",
    "integrity_requirement": "high",
    "availability_requirement": "high",
    "max_severity": "critical",
    "created_at": "2015-02-02T04:05:06.000Z",
    "updated_at": "2016-05-02T04:05:06.000Z",
    "instruction": null,
    "eligible_for_bounty": true,
    "eligible_for_submission": true,
    "reference": "H001001"
  }
}

A StructuredScope object represents an asset defined by the program. The scope on a report was initially provided by the hacker, but may be reviewed and corrected by the program.

Attributes

Name Type Required Description
id string true The unique ID of the scope.
type string true none
attributes object true none
» asset_identifier string true The identifier of the asset.
» asset_type string true The type of the asset.
» eligible_for_bounty boolean true If the asset is eligible for bounty.
» eligible_for_submission boolean true If the asset is eligible for submission.
» instruction string¦null false The raw intruction of the asset provided by the program.
Markdown is not parsed.
» confidentiality_requirement any false A CVSS environmental modifier that reweights Confidentiality Impact
of a vulnerability on this asset.
» integrity_requirement any false A CVSS environmental modifier that reweights Integrity Impact of a
vulnerability on this asset.
» availability_requirement any false A CVSS environmental modifier that reweights Availability Impact of
a vulnerability on this asset.
» max_severity any true The qualitative rating of the maximum severity allowed on this asset.
Its value is calculated from the combination of all three of the
environmental requirements (CR, IR, and AR).
» created_at string(date-time) true The date and time the object was created. Formatted according to ISO 8601.
» updated_at string(date-time) true The date and time the object was updated. Formatted according to ISO 8601.
» reference string¦null false The customer defined reference identifier or tag of the asset.

Enumerated Values

Property Value
type structured-scope
confidentiality_requirement none
confidentiality_requirement low
confidentiality_requirement medium
confidentiality_requirement high
integrity_requirement none
integrity_requirement low
integrity_requirement medium
integrity_requirement high
availability_requirement none
availability_requirement low
availability_requirement medium
availability_requirement high
max_severity none
max_severity low
max_severity medium
max_severity high
max_severity critical

swag

{
  "id": "1337",
  "type": "swag",
  "attributes": {
    "sent": false,
    "created_at": "2016-02-02T04:05:06.000Z"
  },
  "relationships": {
    "user": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    },
    "address": {
      "data": {
        "id": "1337",
        "type": "address",
        "attributes": {
          "name": "Jane Doe",
          "street": "535 Mission Street",
          "city": "San Francisco",
          "postal_code": "94105",
          "state": "CA",
          "country": "United States of America",
          "created_at": "2016-02-02T04:05:06.000Z",
          "tshirt_size": "W_Large",
          "phone_number": "+1-510-000-0000"
        }
      }
    }
  }
}

Besides a financial reward, which is called a bounty, programs can award swag. Report objects may contain multiple swag objects, one for each time swag was awarded.

Attributes

Name Type Required Description
id string true The unique ID of the swag.
type string true none
attributes object true none
» sent boolean true Indicates whether the swag has been marked as sent. Swag can be marked as
sent through the HackerOne interface.
» created_at string(data-time) true The date and time the object was created. Formatted according
to ISO 8601.
relationships object false none
» user object true none
»» data user false The user the swag was awarded to.
» address object true none
»» data address false The user's address to send the swag to.

Enumerated Values

Property Value
type swag

user

{
  "id": "1337",
  "type": "user",
  "attributes": {
    "username": "api-example",
    "name": "API Example",
    "disabled": false,
    "created_at": "2016-02-02T04:05:06.000Z",
    "profile_picture": {
      "62x62": "/assets/avatars/default.png",
      "82x82": "/assets/avatars/default.png",
      "110x110": "/assets/avatars/default.png",
      "260x260": "/assets/avatars/default.png"
    }
  }
}

User objects represent accounts on HackerOne. These objects are mostly referenced when someone performed an action using that account. All different actors on the platform, hackers, API users, and program users, have a user account.

Attributes

Name Type Required Description
id string true The unique ID of the user.
type string true none
attributes object true none
» disabled boolean true Indicates if the user is disabled.
» username string true The username of the user. Usernames are unique and scoped under the same
namespace as program handles.
» name string true The name of the user. A name may be empty and is free-format.
» profile_picture object true An object that holds URLs to different profile picture sizes.
»» 62x62 string true none
»» 82x82 string true none
»» 110x110 string true none
»» 260x260 string true none
» bio string¦null false The user's biography, as provided by the user.
» website string¦null false The user's website, as provided by the user.
» location string¦null false The user's location, as provided by the user.
» reputation number¦null false The reputation of the user. Read more about how this number is
calculated href="https://www.hackerone.com/blog/introducing-reputation">here. This
attribute is only included in the reporter relationship of a
report object.
» signal number¦null false The signal of the user. This number ranges from -10 to 7. The closer to 7,
the higher the average submission quality of the user. This attribute is only
included in the reporter relationship of a report object.
Learn more about how this number is calculated href="https://www.hackerone.com/blog/introducing-signal-and-impact">here.
» impact number¦null false The impact of the user. This number ranges from 0 to 50. The closer to 50,
the higher the average severity of the user's reports is. This attribute is only
included in the reporter relationship of a report object.
Learn more about how this number is calculated href="https://www.hackerone.com/blog/introducing-signal-and-impact">here.
» hackerone_triager boolean¦null false Indicates if the user is a hackerone triager.
» created_at string(date-time) true The date and time the object was created. Formatted according
to ISO 8601.
relationships object false none
» participating_programs object false none
»» data [object] false List of private programs that you manage where this user is invited to.
This attribute is only included when making use of the User > Read endpoint.

Enumerated Values

Property Value
type user

weakness

{
  "id": "1337",
  "type": "weakness",
  "attributes": {
    "name": "Cross-Site Request Forgery (CSRF)",
    "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
    "created_at": "2016-02-02T04:05:06.000Z",
    "external_id": "cwe-352"
  }
}

A Weakness object represents the type of weakness the hacker submitted to a program. The weakness was initially provided by the hacker, but may be reviewed and corrected by the program.

Attributes

Name Type Required Description
id string true The unique ID of the weakness.
type string true none
attributes object false none
» name string true The name of the weakness.
» description string true The raw description of the weakness. Markdown is not parsed.
» external_id string true The weakness' external reference to CWE or CAPEC.
» created_at string(date-time) true The date and time the object was created. Formatted according to ISO 8601.

Enumerated Values

Property Value
type weakness