NAV
Shell Python Ruby Java Javascript Go

Hacker Resources

Hacktivity

Get Hacktivity

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/hacktivity" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/hackers/hacktivity',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/hackers/hacktivity',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/hacktivity");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/hacktivity',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/hacktivity", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

hacktivity items found

{
  "data": [
    {
      "id": 689314,
      "type": "report",
      "attributes": {
        "title": "Project Template functionality can be used to copy private project data",
        "substate": "Resolved",
        "url": "https://hackerone.com/reports/689314",
        "disclosed_at": "2019-11-27T10:02:44.156Z",
        "cve_ids": [],
        "cwe": "Privilege Escalation",
        "severity_rating": "critical",
        "votes": 438,
        "total_awarded_amount": 12000,
        "latest_disclosable_action": "Activities::ReportBecamePublic",
        "latest_disclosable_activity_at": "2019-11-27T10:02:44.181Z",
        "submitted_at": "2019-09-06T05:40:41.068Z",
        "disclosed": true
      },
      "relationships": {
        "report_generated_content": {
          "data": {
            "type": "report_generated_content",
            "attributes": {
              "hacktivity_summary": "Here you could see a generated summary."
            }
          }
        },
        "reporter": {
          "data": {
            "type": "user",
            "attributes": {
              "name": "Jobert Abma",
              "username": "jobert"
            }
          }
        },
        "program": {
          "data": {
            "type": "program",
            "attributes": {
              "handle": "gitlab",
              "name": "GitLab",
              "currency": "usd",
              "url": "https://hackerone.com/gitlab"
            }
          }
        }
      }
    }
  ]
}

Last revised: 2025-05-23

GET /hackers/hacktivity

This API endpoint allows you to query a paginated list of hacktivity_item objects.

Parameters

Name In Type Required Description
queryString path string true Expects an Apache Lucene query string syntax. Possible filters are severity_rating, asset_type, substate, cwe, cve_ids, reporter, team, total_awarded_amount, disclosed_at, has_collaboration and disclosed. Example: queryString=severity_rating:critical AND disclosed_at:>=01-01-1970 displays reports with a severity rating of critical that were disclosed after January 1st, 1970. If no query string is provided, all reports will be returned.'
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Detailed descriptions

queryString: Expects an Apache Lucene query string syntax. Possible filters are severity_rating, asset_type, substate, cwe, cve_ids, reporter, team, total_awarded_amount, disclosed_at, has_collaboration and disclosed. Example: queryString=severity_rating:critical AND disclosed_at:>=01-01-1970 displays reports with a severity rating of critical that were disclosed after January 1st, 1970. If no query string is provided, all reports will be returned.'

Reports

Get Reports

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/me/reports" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/hackers/me/reports',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/hackers/me/reports',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/me/reports");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/me/reports',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/me/reports", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

report found

{
  "data": [
    {
      "id": "1",
      "type": "report",
      "attributes": {
        "title": "Yet Another XSS",
        "state": "new",
        "created_at": "2016-02-02T04:05:06.000Z",
        "vulnerability_information": "Vuln information",
        "triaged_at": null,
        "closed_at": null,
        "last_reporter_activity_at": null,
        "first_program_activity_at": null,
        "last_program_activity_at": null,
        "bounty_awarded_at": null,
        "swag_awarded_at": null,
        "disclosed_at": null,
        "reporter_agreed_on_going_public_at": null,
        "last_public_activity_at": null,
        "last_activity_at": null
      },
      "relationships": {
        "reporter": {
          "data": {
            "id": "1",
            "type": "user",
            "attributes": {
              "username": "john",
              "name": "John",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              },
              "bio": "Super great hacker",
              "website": "http://hackerone.com",
              "location": "Who wants to know?",
              "hackerone_triager": false
            }
          }
        },
        "program": {
          "data": {
            "id": "1",
            "type": "program",
            "attributes": {
              "handle": "teamy",
              "created_at": null,
              "updated_at": null
            }
          }
        },
        "weakness": {
          "data": {
            "id": "2",
            "type": "weakness",
            "attributes": {
              "name": "Uncontrolled Resource Consumption",
              "description": "The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.",
              "external_id": "3",
              "created_at": "2016-02-02T04:05:06.000Z"
            }
          }
        }
      }
    },
    {
      "id": "2",
      "type": "report",
      "attributes": {
        "title": "Another XSS",
        "state": "new",
        "created_at": "2016-02-02T04:05:06.000Z",
        "vulnerability_information": "Vuln information",
        "triaged_at": null,
        "closed_at": null,
        "last_reporter_activity_at": null,
        "first_program_activity_at": null,
        "last_program_activity_at": null,
        "bounty_awarded_at": null,
        "swag_awarded_at": null,
        "disclosed_at": null,
        "reporter_agreed_on_going_public_at": null,
        "last_public_activity_at": null,
        "last_activity_at": null
      },
      "relationships": {
        "reporter": {
          "data": {
            "id": "3",
            "type": "user",
            "attributes": {
              "username": "john",
              "name": "John",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              },
              "bio": "Super great hacker",
              "website": "http://hackerone.com",
              "location": "Who wants to know?",
              "hackerone_triager": false
            }
          }
        },
        "program": {
          "data": {
            "id": "4",
            "type": "program",
            "attributes": {
              "handle": "teamy",
              "created_at": null,
              "updated_at": null
            }
          }
        },
        "weakness": {
          "data": {
            "id": "5",
            "type": "weakness",
            "attributes": {
              "name": "Uncontrolled Resource Consumption",
              "description": "The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.",
              "external_id": "2",
              "created_at": "2016-02-02T04:05:06.000Z"
            }
          }
        }
      }
    },
    {
      "id": "3",
      "type": "report",
      "attributes": {
        "title": "XSS",
        "state": "new",
        "created_at": "2016-02-02T04:05:06.000Z",
        "vulnerability_information": "Vuln information",
        "triaged_at": null,
        "closed_at": null,
        "last_reporter_activity_at": null,
        "first_program_activity_at": null,
        "last_program_activity_at": null,
        "bounty_awarded_at": null,
        "swag_awarded_at": null,
        "disclosed_at": null,
        "reporter_agreed_on_going_public_at": null,
        "last_public_activity_at": null,
        "last_activity_at": null
      },
      "relationships": {
        "reporter": {
          "data": {
            "id": "4",
            "type": "user",
            "attributes": {
              "username": "john",
              "name": "John",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              },
              "bio": "Super great hacker",
              "website": "http://hackerone.com",
              "location": "Who wants to know?",
              "hackerone_triager": false
            }
          }
        },
        "program": {
          "data": {
            "id": "5",
            "type": "program",
            "attributes": {
              "handle": "teamy",
              "created_at": null,
              "updated_at": null
            }
          }
        },
        "weakness": {
          "data": {
            "id": "6",
            "type": "weakness",
            "attributes": {
              "name": "Uncontrolled Resource Consumption",
              "description": "The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.",
              "external_id": "7",
              "created_at": "2016-02-02T04:05:06.000Z"
            }
          }
        }
      }
    }
  ],
  "links": {}
}

Last revised: 2025-05-23

GET /hackers/me/reports

This API endpoint allows you to query a paginated list of report objects.

Parameters

Name In Type Required Description
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Create Report

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/reports" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "report",
    "attributes": {
      "team_handle": "string",
      "title": "string",
      "vulnerability_information": "string",
      "impact": "string",
      "severity_rating": "none",
      "weakness_id": 0,
      "structured_scope_id": 0
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "report",
    "attributes": {
      "team_handle": "string",
      "title": "string",
      "vulnerability_information": "string",
      "impact": "string",
      "severity_rating": "none",
      "weakness_id": 0,
      "structured_scope_id": 0
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/hackers/reports',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "report",
    "attributes": {
      "team_handle": "string",
      "title": "string",
      "vulnerability_information": "string",
      "impact": "string",
      "severity_rating": "none",
      "weakness_id": 0,
      "structured_scope_id": 0
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/hackers/reports',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/reports");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"report\",\n    \"attributes\": {\n      \"team_handle\": \"string\",\n      \"title\": \"string\",\n      \"vulnerability_information\": \"string\",\n      \"impact\": \"string\",\n      \"severity_rating\": \"none\",\n      \"weakness_id\": 0,\n      \"structured_scope_id\": 0\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"report\",\n    \"attributes\": {\n      \"team_handle\": \"string\",\n      \"title\": \"string\",\n      \"vulnerability_information\": \"string\",\n      \"impact\": \"string\",\n      \"severity_rating\": \"none\",\n      \"weakness_id\": 0,\n      \"structured_scope_id\": 0\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/reports',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"report\",\n    \"attributes\": {\n      \"team_handle\": \"string\",\n      \"title\": \"string\",\n      \"vulnerability_information\": \"string\",\n      \"impact\": \"string\",\n      \"severity_rating\": \"none\",\n      \"weakness_id\": 0,\n      \"structured_scope_id\": 0\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/hackers/reports", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

report created

{
  "data": {
    "id": "1337",
    "type": "report",
    "attributes": {
      "title": "XSS in login form",
      "state": "new",
      "created_at": "2021-06-30T09:59:37.783Z",
      "vulnerability_information": "Soo much vuln\n\n## Impact\n\nSoo much impact",
      "triaged_at": null,
      "closed_at": null,
      "last_reporter_activity_at": "2021-06-30T09:59:38.294Z",
      "first_program_activity_at": "2021-06-30T09:59:38.294Z",
      "last_program_activity_at": "2021-06-30T09:59:38.294Z",
      "bounty_awarded_at": null,
      "swag_awarded_at": null,
      "disclosed_at": null,
      "reporter_agreed_on_going_public_at": null,
      "last_public_activity_at": "2021-06-30T09:59:38.294Z",
      "last_activity_at": "2021-06-30T09:59:38.294Z",
      "cve_ids": []
    },
    "relationships": {
      "reporter": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "hacker",
            "name": "Hacker",
            "disabled": false,
            "created_at": "2021-05-28T11:27:05.082Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            },
            "bio": "Hacker.",
            "website": "https://example.com",
            "location": "Hackland",
            "hackerone_triager": false
          }
        }
      },
      "program": {
        "data": {
          "id": "1337",
          "type": "program",
          "attributes": {
            "handle": "security",
            "created_at": "2013-01-01T00:00:00.000Z",
            "updated_at": "2021-06-25T10:04:59.678Z"
          }
        }
      },
      "severity": {
        "data": {
          "id": "74",
          "type": "severity",
          "attributes": {
            "rating": "high",
            "author_type": "User",
            "user_id": 1337,
            "created_at": "2021-06-30T09:59:38.029Z"
          }
        }
      },
      "swag": {
        "data": []
      },
      "attachments": {
        "data": []
      },
      "weakness": {
        "data": {
          "id": "1337",
          "type": "weakness",
          "attributes": {
            "name": "Cross-Site Request Forgery (CSRF)",
            "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
            "external_id": "cwe-352",
            "created_at": "2021-05-28T11:26:59.604Z"
          }
        }
      },
      "activities": {
        "data": []
      },
      "bounties": {
        "data": []
      },
      "summaries": {
        "data": []
      }
    }
  }
}

Last revised: 2025-05-23

POST /hackers/reports

This API endpoint can be used to submit reports to a specific team on the HackerOne platform. When the API call is successful, a report object will be returned.

Parameters

Name In Type Required Description
data body object true The information to create a report.
» type body string true none
» attributes body object true none
»» team_handle body string true The handle of the team that the report is being submitted to.
»» title body string true The title of the report.
»» vulnerability_information body string true Detailed information about the vulnerability including the steps to reproduce as well as supporting material and references.
»» impact body string true The security impact that an attacker could achieve.
»» severity_rating body severity-ratings false The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score.
»» weakness_id body integer false The ID of the weakness object that describes the type of the potential issue.
»» structured_scope_id body integer false The ID of the structured scope object that describes the attack surface.

Enumerated Values

Parameter Value
» type report
»» severity_rating none
»» severity_rating low
»» severity_rating medium
»» severity_rating high
»» severity_rating critical

Get Report

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/reports/{id}" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/hackers/reports/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/hackers/reports/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/reports/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/reports/{id}',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/reports/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

report found

{
  "data": {
    "id": "1337",
    "type": "report",
    "attributes": {
      "title": "XSS in login form",
      "state": "new",
      "created_at": "2016-02-02T04:05:06.000Z",
      "vulnerability_information": "...",
      "triaged_at": null,
      "closed_at": null,
      "last_reporter_activity_at": null,
      "first_program_activity_at": null,
      "last_program_activity_at": null,
      "bounty_awarded_at": null,
      "swag_awarded_at": null,
      "disclosed_at": null,
      "source": null
    },
    "relationships": {
      "reporter": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      },
      "assignee": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "member",
            "name": "Member",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      },
      "program": {
        "data": {
          "id": "1337",
          "type": "program",
          "attributes": {
            "handle": "security",
            "created_at": "2016-02-02T04:05:06.000Z",
            "updated_at": "2016-02-02T04:05:06.000Z"
          }
        }
      },
      "severity": {
        "data": {
          "id": "57",
          "type": "severity",
          "attributes": {
            "rating": "high",
            "author_type": "User",
            "user_id": 1337,
            "created_at": "2016-02-02T04:05:06.000Z",
            "score": 8.7,
            "attack_complexity": "low",
            "attack_vector": "adjacent",
            "availability": "high",
            "confidentiality": "low",
            "integrity": "high",
            "privileges_required": "low",
            "user_interaction": "required",
            "scope": "changed"
          }
        }
      },
      "swag": {
        "data": []
      },
      "attachments": {
        "data": []
      },
      "weakness": {
        "data": {
          "id": "1337",
          "type": "weakness",
          "attributes": {
            "name": "Cross-Site Request Forgery (CSRF)",
            "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
            "external_id": "cwe-352",
            "created_at": "2016-02-02T04:05:06.000Z"
          }
        }
      },
      "structured_scope": {
        "data": {
          "id": "57",
          "type": "structured-scope",
          "attributes": {
            "asset_identifier": "api.example.com",
            "asset_type": "url",
            "confidentiality_requirement": "high",
            "integrity_requirement": "high",
            "availability_requirement": "high",
            "max_severity": "critical",
            "created_at": "2015-02-02T04:05:06.000Z",
            "updated_at": "2016-05-02T04:05:06.000Z",
            "instruction": null,
            "eligible_for_bounty": true,
            "eligible_for_submission": true,
            "reference": "H001001"
          }
        }
      },
      "activities": {
        "data": [
          {
            "type": "activity-comment",
            "id": "445",
            "attributes": {
              "message": "Comment!",
              "created_at": "2016-02-02T04:05:06.000Z",
              "updated_at": "2016-02-02T04:05:06.000Z",
              "internal": false
            },
            "relationships": {
              "actor": {
                "data": {
                  "id": "1337",
                  "type": "user",
                  "attributes": {
                    "username": "api-example",
                    "name": "API Example",
                    "disabled": false,
                    "created_at": "2016-02-02T04:05:06.000Z",
                    "profile_picture": {
                      "62x62": "/assets/avatars/default.png",
                      "82x82": "/assets/avatars/default.png",
                      "110x110": "/assets/avatars/default.png",
                      "260x260": "/assets/avatars/default.png"
                    },
                    "signal": null,
                    "impact": null,
                    "reputation": null,
                    "bio": null,
                    "website": null,
                    "location": null,
                    "hackerone_triager": false
                  }
                }
              },
              "attachments": {
                "data": [
                  {
                    "id": "1337",
                    "type": "attachment",
                    "attributes": {
                      "expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
                      "created_at": "2016-02-02T04:05:06.000Z",
                      "file_name": "root.rb",
                      "content_type": "text/x-ruby",
                      "file_size": 2871
                    }
                  }
                ]
              }
            }
          },
          {
            "id": "1337",
            "type": "activity-bug-resolved",
            "attributes": {
              "message": "Bug Resolved!",
              "created_at": "2016-02-02T04:05:06.000Z",
              "updated_at": "2016-02-02T04:05:06.000Z",
              "internal": false
            },
            "relationships": {
              "actor": {
                "data": {
                  "id": "1337",
                  "type": "user",
                  "attributes": {
                    "username": "api-example",
                    "name": "API Example",
                    "disabled": false,
                    "created_at": "2016-02-02T04:05:06.000Z",
                    "profile_picture": {
                      "62x62": "/assets/avatars/default.png",
                      "82x82": "/assets/avatars/default.png",
                      "110x110": "/assets/avatars/default.png",
                      "260x260": "/assets/avatars/default.png"
                    }
                  }
                }
              }
            }
          }
        ]
      },
      "bounties": {
        "data": []
      },
      "summaries": {
        "data": []
      },
      "triggered_pre_submission_trigger": {
        "data": {
          "id": "1337",
          "type": "trigger",
          "attributes": {
            "title": "Example Trigger"
          }
        }
      },
      "custom_field_values": {
        "data": []
      },
      "automated_remediation_guidance": {
        "data": {
          "id": "1",
          "type": "automated-remediation-guidance",
          "attributes": {
            "reference": "https://cwe.mitre.org/data/definitions/120.html",
            "created_at": "2020-10-23T12:09:37.859Z"
          }
        }
      },
      "custom_remediation_guidance": {
        "data": {
          "id": "84",
          "type": "custom-remediation-guidance",
          "attributes": {
            "message": "Check buffer boundaries if accessing the buffer in a loop and make sure you are not in danger of writing past the allocated space.",
            "created_at": "2020-10-26T08:47:23.296Z"
          },
          "relationships": {
            "author": {
              "data": {
                "id": "1338",
                "type": "user",
                "attributes": {
                  "username": "api-example-2",
                  "name": "API Example 2",
                  "disabled": false,
                  "created_at": "2020-10-22T011:22:05.402Z",
                  "profile_picture": {
                    "62x62": "/assets/avatars/default.png",
                    "82x82": "/assets/avatars/default.png",
                    "110x110": "/assets/avatars/default.png",
                    "260x260": "/assets/avatars/default.png"
                  }
                }
              }
            }
          }
        }
      }
    }
  }
}

Last revised: 2025-05-23

GET /hackers/reports/{id}

A report object can be fetched by sending a GET request to a unique report object. In case the request was successful, the API will respond with a report object.

The following report relationships are included: reporter, assignee (a user or group), program, weakness, severity, bounties, swag,activities, attachments, structured scope and summaries.

NOTE

vulnerability_information will only be included in the response if the hacker owns the report being viewed.

Parameters

Name In Type Required Description
id path integer true The ID of the report.

Balance

Get Balance

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/payments/balance" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/hackers/payments/balance',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/hackers/payments/balance',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/payments/balance");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/payments/balance',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/payments/balance", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

balance found

{
  "data": {
    "balance": 105
  }
}

Last revised: 2025-05-23

GET /hackers/payments/balance

This API endpoint allows you to query your balance.

Earnings

Get Earnings

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/payments/earnings" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/hackers/payments/earnings',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/hackers/payments/earnings',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/payments/earnings");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/payments/earnings',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/payments/earnings", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

earnings found

{
  "data": [
    {
      "id": "1",
      "type": "earning-bounty-earned",
      "attributes": {
        "amount": 150,
        "created_at": "2015-02-02T04:05:06.000Z"
      },
      "relationships": {
        "program": {
          "data": {
            "id": "9",
            "type": "program",
            "attributes": {
              "handle": "acme",
              "name": "Acme",
              "currency": null,
              "profile_picture": null,
              "submission_state": null,
              "triage_active": null,
              "state": null,
              "started_accepting_at": null,
              "number_of_reports_for_user": null,
              "number_of_valid_reports_for_user": null,
              "bounty_earned_for_user": null,
              "last_invitation_accepted_at_for_user": null,
              "bookmarked": null,
              "allows_bounty_splitting": null
            }
          }
        },
        "bounty": {
          "data": {
            "id": "123",
            "type": "bounty",
            "attributes": {
              "amount": "150.00",
              "bonus_amount": "0.00",
              "awarded_amount": "150.00",
              "awarded_bonus_amount": "0.00",
              "awarded_currency": "USD",
              "created_at": "2015-02-02T04:05:06.000Z"
            },
            "relationships": {
              "report": {
                "data": {
                  "id": "123",
                  "type": "report",
                  "attributes": {
                    "title": "Great bounty",
                    "state": "resolved",
                    "created_at": "2015-02-02T04:05:06.000Z",
                    "vulnerability_information": "Vuln information",
                    "triaged_at": null,
                    "closed_at": "2015-02-02T04:05:06.000Z",
                    "last_reporter_activity_at": null,
                    "first_program_activity_at": null,
                    "last_program_activity_at": null,
                    "bounty_awarded_at": null,
                    "swag_awarded_at": null,
                    "disclosed_at": null,
                    "reporter_agreed_on_going_public_at": null,
                    "last_public_activity_at": null,
                    "last_activity_at": null
                  }
                }
              }
            }
          }
        }
      }
    }
  ],
  "links": {}
}

Last revised: 2025-05-23

GET /hackers/payments/earnings

This API endpoint allows you to query a paginated list of earning objects.

Parameters

Name In Type Required Description
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Payouts

Get Payouts

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/payments/payouts" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/hackers/payments/payouts',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/hackers/payments/payouts',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/payments/payouts");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/payments/payouts',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/payments/payouts", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

earnings found

{
  "data": [
    {
      "amount": 100,
      "paid_out_at": "2016-02-02T04:05:06.000Z",
      "reference": "<reference>",
      "payout_provider": "PayPal",
      "status": "sent"
    }
  ],
  "links": {}
}

Last revised: 2025-05-23

GET /hackers/payments/payouts

This API endpoint allows you to query a paginated list of payout objects.

Parameters

Name In Type Required Description
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Programs

Get Structured Scopes

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/programs/{handle}/structured_scopes" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/hackers/programs/{handle}/structured_scopes',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/hackers/programs/{handle}/structured_scopes',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/programs/{handle}/structured_scopes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/programs/{handle}/structured_scopes',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/programs/{handle}/structured_scopes", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

structured scopes found

{
  "data": [
    {
      "id": "<id>",
      "type": "structured-scope",
      "attributes": {
        "asset_type": "URL",
        "asset_identifier": "https://api.hackerone.com",
        "eligible_for_bounty": true,
        "eligible_for_submission": true,
        "instruction": "This is our API",
        "max_severity": "critical",
        "created_at": "<date>",
        "updated_at": "<date>",
        "confidentiality_requirement": "high",
        "integrity_requirement": "high",
        "availability_requirement": "high"
      }
    }
  ],
  "links": {
    "self": "http://api.test.host/v1/hackers/programs/acme/structured_scopes?page%5Bsize%5D=1",
    "next": "http://api.test.host/v1/hackers/programs/acme/structured_scopes?page%5Bnumber%5D=2&page%5Bsize%5D=1",
    "last": "http://api.test.host/v1/hackers/programs/acme/structured_scopes?page%5Bnumber%5D=3&page%5Bsize%5D=1"
  }
}

Last revised: 2025-05-23

GET /hackers/programs/{handle}/structured_scopes

The Structured Scopes endpoint enables you to retrieve a list of all structured_scopes of the program.

Structured Scopes can be fetched by sending a GET request to the structured_scopes endpoint. When the request is successful, the API will respond with paginated structured_scope objects.

Parameters

Name In Type Required Description
handle path string true The handle of the program.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Weaknesses

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/programs/{handle}/weaknesses" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/hackers/programs/{handle}/weaknesses',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/hackers/programs/{handle}/weaknesses',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/programs/{handle}/weaknesses");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/programs/{handle}/weaknesses',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/programs/{handle}/weaknesses", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

weaknesses found

{
  "data": [
    {
      "id": "1337",
      "type": "weakness",
      "attributes": {
        "name": "Cross-Site Request Forgery (CSRF)",
        "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
        "created_at": "2016-02-02T04:05:06.000Z",
        "external_id": "cwe-352"
      }
    },
    {
      "id": "1338",
      "type": "weakness",
      "attributes": {
        "name": "SQL Injection",
        "description": "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.",
        "created_at": "2016-03-02T04:05:06.000Z",
        "external_id": "cwe-89"
      }
    }
  ],
  "links": {}
}

Last revised: 2025-05-23

GET /hackers/programs/{handle}/weaknesses

The Weakness endpoint enables you to retrieve a list of all weaknesses of the program.

Weaknesses can be fetched by sending a GET request to the weaknesses endpoint. When the request is successful, the API will respond with paginated weakness objects.

Parameters

Name In Type Required Description
handle path string true The handle of the program.
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Programs

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/programs" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/hackers/programs',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/hackers/programs',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/programs");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/programs',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/programs", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

programs found

{
  "data": [
    {
      "id": 9,
      "type": "program",
      "attributes": {
        "handle": "acme",
        "name": "acme",
        "currency": "usd",
        "policy": "acme's program policy.",
        "profile_picture": "/assets/global-elements/add-team.png",
        "submission_state": "open",
        "triage_active": null,
        "state": "public_mode",
        "started_accepting_at": null,
        "number_of_reports_for_user": 0,
        "number_of_valid_reports_for_user": 0,
        "bounty_earned_for_user": 0,
        "last_invitation_accepted_at_for_user": null,
        "bookmarked": false,
        "allows_bounty_splitting": false,
        "offers_bounties": true,
        "open_scope": true,
        "fast_payments": true,
        "gold_standard_safe_harbor": false
      }
    }
  ],
  "links": {}
}

Last revised: 2025-08-26

GET /hackers/programs

This API endpoint allows you to query a paginated list of program objects.

Parameters

Name In Type Required Description
page[number] query integer false The page to retrieve from. The default is set to 1.
page[size] query integer false The number of objects per page (currently limited from 1 to 100). The default is set to 25.

Get Program

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/programs/{handle}" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/hackers/programs/{handle}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/hackers/programs/{handle}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/programs/{handle}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/programs/{handle}',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/programs/{handle}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

program found

{
  "data": {
    "id": 9,
    "type": "program",
    "attributes": {
      "handle": "acme",
      "name": "acme",
      "currency": "usd",
      "policy": "acme's program policy.",
      "profile_picture": "/assets/global-elements/add-team.png",
      "submission_state": "open",
      "triage_active": null,
      "state": "public_mode",
      "started_accepting_at": null,
      "number_of_reports_for_user": 0,
      "number_of_valid_reports_for_user": 0,
      "bounty_earned_for_user": 0,
      "last_invitation_accepted_at_for_user": null,
      "bookmarked": false,
      "allows_bounty_splitting": false,
      "offers_bounties": true,
      "open_scope": true,
      "fast_payments": true,
      "gold_standard_safe_harbor": false
    },
    "relationships": {
      "structured_scopes": {
        "data": []
      }
    }
  }
}

Last revised: 2025-08-26

GET /hackers/programs/{handle}

A program object can be fetched by sending a GET request to a unique program object. When the request is successful, the API will respond with a program object.

NOTE

If you want to fetch all structured_scopes for a program you can use get structured scopes API endpoint.

Parameters

Name In Type Required Description
handle path string true The handle of the program. Find the program handle by fetching your programs

Report Intents

Get Report Intent Attachments

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

attachments retrieved

{
  "data": [
    {
      "id": "9",
      "type": "attachment",
      "attributes": {
        "expiring_url": "https://hackerone.com/url/to/attachment",
        "created_at": "2025-09-25T13:01:28.293Z",
        "file_name": "attachment1.png",
        "content_type": "image/png",
        "file_size": 13808
      }
    },
    {
      "id": "10",
      "type": "attachment",
      "attributes": {
        "expiring_url": "https://hackerone.com/url/to/attachment",
        "created_at": "2025-09-25T13:01:29.084Z",
        "file_name": "attachment2.png",
        "content_type": "image/png",
        "file_size": 13808
      }
    }
  ]
}

report intent not found

{
  "errors": [
    {
      "status": 404,
      "detail": "Report Intent not found"
    }
  ]
}

Last revised: 2025-10-06

GET /hackers/report_intents/{report_intent_id}/attachments

Retrieve all attachments associated with a specific report intent.

Parameters

Name In Type Required Description
report_intent_id path integer true The ID of the report intent.

Upload Report Intent Attachments

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: multipart/form-data' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "files[]": [
    "string"
  ]
}
EOD

import requests
headers = {
  'Content-Type': 'multipart/form-data',
  'Accept': 'application/json'
}

data = {
  "files[]": [
    "string"
  ]
}

r = requests.post(
  'https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'multipart/form-data',
  'Accept' => 'application/json'
}

data = {
  "files[]": [
    "string"
  ]
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"files[]\": [\n    \"string\"\n  ]\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"files[]\": [\n    \"string\"\n  ]\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'multipart/form-data');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"multipart/form-data"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"files[]\": [\n    \"string\"\n  ]\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

attachments uploaded

{
  "data": {
    "id": "9",
    "type": "attachment",
    "attributes": {
      "expiring_url": "https://hackerone.com/url/to/attachment",
      "created_at": "2025-09-25T13:01:28.293Z",
      "file_name": "attachment1.png",
      "content_type": "image/png",
      "file_size": 13808
    }
  }
}

Last revised: 2025-10-06

POST /hackers/report_intents/{report_intent_id}/attachments

Upload one or more attachments to a report intent. Attachments can include screenshots, logs, or other supporting materials that help demonstrate the vulnerability.

Use the files[] form data parameter to upload multiple files in a single request. Each file should be included as a separate entry in the files[] array.

The uploaded files will be processed and associated with the report intent. When the report intent is eventually submitted as a vulnerability report, these attachments will be included.

Note: Report intents must be in an editable state (not submitted) to accept new attachments.

Parameters

Name In Type Required Description
files[] body [string] false Array of files to upload. Note that this needs to be sent as part of the form data, not as JSON in the request body.
report_intent_id path integer true The ID of the report intent.

Delete Report Intent Attachment

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments/{id}" \
  -X DELETE \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.delete(
  'https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :delete,
  url: 'https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments/{id}',
{
  method: 'DELETE',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

attachment deleted

{
  "data": [
    {
      "id": "10",
      "type": "attachment",
      "attributes": {
        "expiring_url": "https://hackerone.com/url/to/attachment",
        "created_at": "2025-09-25T13:01:29.084Z",
        "file_name": "attachment2.png",
        "content_type": "image/png",
        "file_size": 13808
      }
    }
  ]
}

report intent not found

{
  "errors": [
    {
      "status": 404,
      "detail": "Report Intent not found"
    }
  ]
}

Last revised: 2025-10-06

DELETE /hackers/report_intents/{report_intent_id}/attachments/{id}

Delete a specific attachment from a report intent. This action is irreversible.

Only the author of the report intent can delete attachments, and only if the report intent has not been submitted yet.

Parameters

Name In Type Required Description
report_intent_id path integer true The ID of the report intent.
id path integer true The ID of the attachment to delete.

Get Report Intents

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/report_intents" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/hackers/report_intents',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/hackers/report_intents',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/report_intents");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/report_intents',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/report_intents", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

report intents retrieved

{
  "data": [
    {
      "id": "23",
      "type": "report-intent",
      "attributes": {
        "title": "IDOR vulnerability allowing unauthorized access to user data",
        "description": "## Summary:\nFound IDOR (Insecure Direct Object Reference) vulnerability allowing access to other users' data.\n\n## Steps To Reproduce:\n[add details for how we can reproduce the issue]\n\n  1. [add step]\n  1. [add step]\n  1. [add step]\n\n## Supporting Material/References:\n[list any additional material (e.g. screenshots, logs, etc.)]\n\n  * [attachment / reference]",
        "state": "ready_to_submit",
        "has_failing_jobs": true,
        "job_status_by_type": {
          "assistant_response": "succeeded",
          "revise_intent": "succeeded",
          "analyze_asset_type": "succeeded",
          "analyze_vulnerability_presence": "failed",
          "analyze_bug_type": "succeeded",
          "extract_metadata": "succeeded",
          "determine_asset": "failed",
          "analyze_cif_cir": "succeeded",
          "analyze_bug_class_completeness": "failed",
          "assistant_summary": "succeeded"
        },
        "metadata": {
          "bug_class": "Insecure Direct Object Reference (IDOR)",
          "http_method": null,
          "vulnerable_url": null,
          "vulnerable_parameter": null
        }
      }
    },
    {
      "id": "24",
      "type": "report-intent",
      "attributes": {
        "title": "Reflected XSS in search functionality via search parameter leads to arbitrary JavaScript execution",
        "description": "## Summary:\nCross-Site Scripting (XSS) vulnerability in the search parameter that allows for arbitrary JavaScript execution.\n\n## Steps To Reproduce:\n1. Navigate to the search functionality\n2. Enter the payload `<script>alert(1)</script>` into the search parameter\n3. Submit the search query\n4. Observe that the JavaScript executes, displaying an alert box with the number \"1\"\n\n## Supporting Material/References:\n* No additional materials provided",
        "state": "ready_to_submit",
        "has_failing_jobs": true,
        "job_status_by_type": {
          "assistant_response": "succeeded",
          "revise_intent": "succeeded",
          "analyze_asset_type": "succeeded",
          "analyze_vulnerability_presence": "succeeded",
          "analyze_bug_type": "succeeded",
          "extract_metadata": "succeeded",
          "determine_asset": "failed",
          "analyze_cif_cir": "succeeded",
          "analyze_bug_class_completeness": "failed",
          "assistant_summary": "succeeded"
        },
        "metadata": {
          "bug_class": "Reflected Cross-Site Scripting (XSS)",
          "http_method": null,
          "vulnerable_url": null,
          "vulnerable_parameter": "search"
        }
      }
    }
  ]
}

Last revised: 2025-10-06

GET /hackers/report_intents

Retrieve a list of report intents created by the requester.

Create Report Intent

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/report_intents" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "report-intent",
    "attributes": {
      "team_handle": "security",
      "description": "I found an XSS on hackerone.com, here are the reproduction steps:..."
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "report-intent",
    "attributes": {
      "team_handle": "security",
      "description": "I found an XSS on hackerone.com, here are the reproduction steps:..."
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/hackers/report_intents',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "report-intent",
    "attributes": {
      "team_handle": "security",
      "description": "I found an XSS on hackerone.com, here are the reproduction steps:..."
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/hackers/report_intents',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/report_intents");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"report-intent\",\n    \"attributes\": {\n      \"team_handle\": \"security\",\n      \"description\": \"I found an XSS on hackerone.com, here are the reproduction steps:...\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"report-intent\",\n    \"attributes\": {\n      \"team_handle\": \"security\",\n      \"description\": \"I found an XSS on hackerone.com, here are the reproduction steps:...\"\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/report_intents',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"report-intent\",\n    \"attributes\": {\n      \"team_handle\": \"security\",\n      \"description\": \"I found an XSS on hackerone.com, here are the reproduction steps:...\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/hackers/report_intents", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

report intent created

{
  "data": {
    "id": "25",
    "type": "report-intent",
    "attributes": {
      "title": "Report Intent #25",
      "description": "Your vulnerability description here",
      "state": "pending",
      "has_failing_jobs": false,
      "job_status_by_type": {
        "assistant_response": "pending"
      },
      "metadata": {}
    }
  }
}

Last revised: 2025-10-06

POST /hackers/report_intents

Create an initial report intent. Use the "Get Report Intent" endpoint to poll the report intent until all pipelines have completed.

Parameters

Name In Type Required Description
data body object true none
» type body string true none
» attributes body object true none
»» team_handle body string true Program team handle to submit this report to. This team needs to enable Report Assistant.
»» description body string true Any details you have about the vulnerability. The more details you provide, the better the AI can assist you.

Get Report Intent

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/report_intents/{id}" \
  -X GET \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/hackers/report_intents/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/hackers/report_intents/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/report_intents/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/report_intents/{id}',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/report_intents/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

report intent retrieved

{
  "data": {
    "id": "25",
    "type": "report-intent",
    "attributes": {
      "title": "Reflected XSS in search functionality via search parameter leads to arbitrary JavaScript execution",
      "description": "## Summary:\nCross-Site Scripting (XSS) vulnerability in the search parameter that allows for arbitrary JavaScript execution.\n\n## Steps To Reproduce:\n1. Navigate to the search functionality\n2. Enter the payload `<script>alert(1)</script>` into the search parameter\n3. Submit the search query\n4. Observe that the JavaScript executes, displaying an alert box with the number \"1\"\n\n## Supporting Material/References:\n* No additional materials provided",
      "state": "ready_to_submit",
      "has_failing_jobs": true,
      "job_status_by_type": {
        "assistant_response": "succeeded",
        "revise_intent": "succeeded",
        "analyze_asset_type": "succeeded",
        "analyze_vulnerability_presence": "succeeded",
        "analyze_bug_type": "succeeded",
        "extract_metadata": "succeeded",
        "determine_asset": "failed",
        "analyze_cif_cir": "succeeded",
        "analyze_bug_class_completeness": "failed",
        "assistant_summary": "succeeded"
      },
      "metadata": {
        "bug_class": "Reflected Cross-Site Scripting (XSS)",
        "http_method": null,
        "vulnerable_url": null,
        "vulnerable_parameter": "search"
      }
    }
  }
}

report intent not found

{
  "errors": [
    {
      "status": 404,
      "detail": "Report Intent not found"
    }
  ]
}

Last revised: 2025-10-06

GET /hackers/report_intents/{id}

Retrieve a specific report intent by ID.

Parameters

Name In Type Required Description
id path string true Report Intent ID

Update Report Intent

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/report_intents/{id}" \
  -X PATCH \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "report-intent",
    "attributes": {
      "description": "I found an XSS on hackerone.com, here are the reproduction steps:..."
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "report-intent",
    "attributes": {
      "description": "I found an XSS on hackerone.com, here are the reproduction steps:..."
    }
  }
}

r = requests.patch(
  'https://api.hackerone.com/v1/hackers/report_intents/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "report-intent",
    "attributes": {
      "description": "I found an XSS on hackerone.com, here are the reproduction steps:..."
    }
  }
}

result = RestClient::Request.execute(
  method: :patch,
  url: 'https://api.hackerone.com/v1/hackers/report_intents/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/report_intents/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PATCH");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"report-intent\",\n    \"attributes\": {\n      \"description\": \"I found an XSS on hackerone.com, here are the reproduction steps:...\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"report-intent\",\n    \"attributes\": {\n      \"description\": \"I found an XSS on hackerone.com, here are the reproduction steps:...\"\n    }\n  }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/report_intents/{id}',
{
  method: 'PATCH',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"report-intent\",\n    \"attributes\": {\n      \"description\": \"I found an XSS on hackerone.com, here are the reproduction steps:...\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("PATCH", "https://api.hackerone.com/v1/hackers/report_intents/{id}", data)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

report intent updated

{
  "data": {
    "id": "26",
    "type": "report-intent",
    "attributes": {
      "title": "Original XSS Report",
      "description": "Updated description with more details about the XSS vulnerability",
      "state": "draft",
      "has_failing_jobs": false,
      "job_status_by_type": {
        "assistant_response": "pending"
      },
      "metadata": {}
    }
  }
}

Last revised: 2025-10-06

PATCH /hackers/report_intents/{id}

Update a report intent's description.

Parameters

Name In Type Required Description
data body object true none
» type body string true none
» attributes body object true none
»» description body string true Any details you have about the vulnerability. The more details you provide, the better the AI can assist you.
id path string true Report Intent ID

Delete Report Intent

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/report_intents/{id}" \
  -X DELETE \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.delete(
  'https://api.hackerone.com/v1/hackers/report_intents/{id}',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :delete,
  url: 'https://api.hackerone.com/v1/hackers/report_intents/{id}',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/report_intents/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/report_intents/{id}',
{
  method: 'DELETE',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/hackers/report_intents/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

report intent deleted

{
  "data": {
    "id": "27",
    "type": "report-intent",
    "attributes": {
      "title": "Report to be deleted",
      "description": "This report will be deleted",
      "state": "draft",
      "has_failing_jobs": false,
      "job_status_by_type": {
        "assistant_response": "pending"
      },
      "metadata": {}
    }
  }
}

Last revised: 2025-10-06

DELETE /hackers/report_intents/{id}

Delete a report intent. This action is irreversible.

Parameters

Name In Type Required Description
id path string true Report Intent ID

Submit Report Intent

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/hackers/report_intents/{id}/submit" \
  -X POST \
  -u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.post(
  'https://api.hackerone.com/v1/hackers/report_intents/{id}/submit',
  auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/hackers/report_intents/{id}/submit',
  password: '<YOUR_API_TOKEN>',
  user: '<YOUR_API_USERNAME>',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/hackers/report_intents/{id}/submit");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/hackers/report_intents/{id}/submit',
{
  method: 'POST',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/hackers/report_intents/{id}/submit", nil)
    req.Header = headers
    req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

report intent submitted

{
  "data": {
    "id": "28",
    "type": "report-intent",
    "attributes": {
      "title": "XSS vulnerability ready for submission",
      "description": "Complete XSS vulnerability report ready to submit",
      "state": "submitted",
      "has_failing_jobs": false,
      "job_status_by_type": {
        "assistant_response": "succeeded",
        "revise_intent": "succeeded",
        "analyze_asset_type": "succeeded",
        "analyze_vulnerability_presence": "succeeded",
        "analyze_bug_type": "succeeded",
        "extract_metadata": "succeeded",
        "determine_asset": "succeeded",
        "analyze_cif_cir": "succeeded",
        "analyze_bug_class_completeness": "succeeded",
        "assistant_summary": "succeeded"
      },
      "metadata": {
        "bug_class": "Reflected Cross-Site Scripting (XSS)",
        "http_method": "GET",
        "vulnerable_url": "https://example.com/search",
        "vulnerable_parameter": "q"
      }
    }
  }
}

Last revised: 2025-10-06

POST /hackers/report_intents/{id}/submit

Submit a report intent to convert it into an actual vulnerability report. The report intent must be in a "ready_to_submit" state to be submitted successfully.

Parameters

Name In Type Required Description
id path string true Report Intent ID