Hacker Resources
Hacktivity
Get Hacktivity
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/hacktivity" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/hackers/hacktivity',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/hackers/hacktivity',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/hacktivity");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/hacktivity',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/hacktivity", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
hacktivity items found
{
"data": [
{
"id": 689314,
"type": "report",
"attributes": {
"title": "Project Template functionality can be used to copy private project data",
"substate": "Resolved",
"url": "https://hackerone.com/reports/689314",
"disclosed_at": "2019-11-27T10:02:44.156Z",
"cve_ids": [],
"cwe": "Privilege Escalation",
"severity_rating": "critical",
"votes": 438,
"total_awarded_amount": 12000,
"latest_disclosable_action": "Activities::ReportBecamePublic",
"latest_disclosable_activity_at": "2019-11-27T10:02:44.181Z",
"submitted_at": "2019-09-06T05:40:41.068Z",
"disclosed": true
},
"relationships": {
"report_generated_content": {
"data": {
"type": "report_generated_content",
"attributes": {
"hacktivity_summary": "Here you could see a generated summary."
}
}
},
"reporter": {
"data": {
"type": "user",
"attributes": {
"name": "Jobert Abma",
"username": "jobert"
}
}
},
"program": {
"data": {
"type": "program",
"attributes": {
"handle": "gitlab",
"name": "GitLab",
"currency": "usd",
"url": "https://hackerone.com/gitlab"
}
}
}
}
}
]
}
GET /hackers/hacktivity
This API endpoint allows you to query a paginated list of hacktivity_item objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| queryString | path | string | true | Expects an Apache Lucene query string syntax. Possible filters are severity_rating, asset_type, substate, cwe, cve_ids, reporter, team, total_awarded_amount, disclosed_at, has_collaboration and disclosed. Example: queryString=severity_rating:critical AND disclosed_at:>=01-01-1970 displays reports with a severity rating of critical that were disclosed after January 1st, 1970. If no query string is provided, all reports will be returned.' |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Detailed descriptions
queryString: Expects an Apache Lucene query string syntax. Possible filters are severity_rating, asset_type, substate, cwe, cve_ids, reporter, team, total_awarded_amount, disclosed_at, has_collaboration and disclosed. Example: queryString=severity_rating:critical AND disclosed_at:>=01-01-1970 displays reports with a severity rating of critical that were disclosed after January 1st, 1970. If no query string is provided, all reports will be returned.'
Reports
Get Reports
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/me/reports" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/hackers/me/reports',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/hackers/me/reports',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/me/reports");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/me/reports',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/me/reports", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
report found
{
"data": [
{
"id": "1",
"type": "report",
"attributes": {
"title": "Yet Another XSS",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "Vuln information",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"reporter_agreed_on_going_public_at": null,
"last_public_activity_at": null,
"last_activity_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1",
"type": "user",
"attributes": {
"username": "john",
"name": "John",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"bio": "Super great hacker",
"website": "http://hackerone.com",
"location": "Who wants to know?",
"hackerone_triager": false
}
}
},
"program": {
"data": {
"id": "1",
"type": "program",
"attributes": {
"handle": "teamy",
"created_at": null,
"updated_at": null
}
}
},
"weakness": {
"data": {
"id": "2",
"type": "weakness",
"attributes": {
"name": "Uncontrolled Resource Consumption",
"description": "The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.",
"external_id": "3",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
}
}
},
{
"id": "2",
"type": "report",
"attributes": {
"title": "Another XSS",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "Vuln information",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"reporter_agreed_on_going_public_at": null,
"last_public_activity_at": null,
"last_activity_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "3",
"type": "user",
"attributes": {
"username": "john",
"name": "John",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"bio": "Super great hacker",
"website": "http://hackerone.com",
"location": "Who wants to know?",
"hackerone_triager": false
}
}
},
"program": {
"data": {
"id": "4",
"type": "program",
"attributes": {
"handle": "teamy",
"created_at": null,
"updated_at": null
}
}
},
"weakness": {
"data": {
"id": "5",
"type": "weakness",
"attributes": {
"name": "Uncontrolled Resource Consumption",
"description": "The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.",
"external_id": "2",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
}
}
},
{
"id": "3",
"type": "report",
"attributes": {
"title": "XSS",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "Vuln information",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"reporter_agreed_on_going_public_at": null,
"last_public_activity_at": null,
"last_activity_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "4",
"type": "user",
"attributes": {
"username": "john",
"name": "John",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"bio": "Super great hacker",
"website": "http://hackerone.com",
"location": "Who wants to know?",
"hackerone_triager": false
}
}
},
"program": {
"data": {
"id": "5",
"type": "program",
"attributes": {
"handle": "teamy",
"created_at": null,
"updated_at": null
}
}
},
"weakness": {
"data": {
"id": "6",
"type": "weakness",
"attributes": {
"name": "Uncontrolled Resource Consumption",
"description": "The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.",
"external_id": "7",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
}
}
}
],
"links": {}
}
GET /hackers/me/reports
This API endpoint allows you to query a paginated list of report objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Create Report
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/reports" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report",
"attributes": {
"team_handle": "string",
"title": "string",
"vulnerability_information": "string",
"impact": "string",
"severity_rating": "none",
"weakness_id": 0,
"structured_scope_id": 0
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report",
"attributes": {
"team_handle": "string",
"title": "string",
"vulnerability_information": "string",
"impact": "string",
"severity_rating": "none",
"weakness_id": 0,
"structured_scope_id": 0
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/hackers/reports',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report",
"attributes": {
"team_handle": "string",
"title": "string",
"vulnerability_information": "string",
"impact": "string",
"severity_rating": "none",
"weakness_id": 0,
"structured_scope_id": 0
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/hackers/reports',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/reports");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report\",\n \"attributes\": {\n \"team_handle\": \"string\",\n \"title\": \"string\",\n \"vulnerability_information\": \"string\",\n \"impact\": \"string\",\n \"severity_rating\": \"none\",\n \"weakness_id\": 0,\n \"structured_scope_id\": 0\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report\",\n \"attributes\": {\n \"team_handle\": \"string\",\n \"title\": \"string\",\n \"vulnerability_information\": \"string\",\n \"impact\": \"string\",\n \"severity_rating\": \"none\",\n \"weakness_id\": 0,\n \"structured_scope_id\": 0\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/reports',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report\",\n \"attributes\": {\n \"team_handle\": \"string\",\n \"title\": \"string\",\n \"vulnerability_information\": \"string\",\n \"impact\": \"string\",\n \"severity_rating\": \"none\",\n \"weakness_id\": 0,\n \"structured_scope_id\": 0\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/hackers/reports", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
report created
{
"data": {
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2021-06-30T09:59:37.783Z",
"vulnerability_information": "Soo much vuln\n\n## Impact\n\nSoo much impact",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": "2021-06-30T09:59:38.294Z",
"first_program_activity_at": "2021-06-30T09:59:38.294Z",
"last_program_activity_at": "2021-06-30T09:59:38.294Z",
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"reporter_agreed_on_going_public_at": null,
"last_public_activity_at": "2021-06-30T09:59:38.294Z",
"last_activity_at": "2021-06-30T09:59:38.294Z",
"cve_ids": []
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "hacker",
"name": "Hacker",
"disabled": false,
"created_at": "2021-05-28T11:27:05.082Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"bio": "Hacker.",
"website": "https://example.com",
"location": "Hackland",
"hackerone_triager": false
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2013-01-01T00:00:00.000Z",
"updated_at": "2021-06-25T10:04:59.678Z"
}
}
},
"severity": {
"data": {
"id": "74",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2021-06-30T09:59:38.029Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2021-05-28T11:26:59.604Z"
}
}
},
"activities": {
"data": []
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
}
POST /hackers/reports
This API endpoint can be used to submit reports to a specific team on the HackerOne platform. When the API call is successful, a report object will be returned.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| data | body | object | true | The information to create a report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» team_handle | body | string | true | The handle of the team that the report is being submitted to. |
| »» title | body | string | true | The title of the report. |
| »» vulnerability_information | body | string | true | Detailed information about the vulnerability including the steps to reproduce as well as supporting material and references. |
| »» impact | body | string | true | The security impact that an attacker could achieve. |
| »» severity_rating | body | severity-ratings | false | The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score. |
| »» weakness_id | body | integer | false | The ID of the weakness object that describes the type of the potential issue. |
| »» structured_scope_id | body | integer | false | The ID of the structured scope object that describes the attack surface. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report |
| »» severity_rating | none |
| »» severity_rating | low |
| »» severity_rating | medium |
| »» severity_rating | high |
| »» severity_rating | critical |
Get Report
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/reports/{id}" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/hackers/reports/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/hackers/reports/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/reports/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/reports/{id}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/reports/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
report found
{
"data": {
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"source": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"assignee": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "member",
"name": "Member",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"severity": {
"data": {
"id": "57",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 8.7,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "high",
"confidentiality": "low",
"integrity": "high",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "url",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
},
"activities": {
"data": [
{
"type": "activity-comment",
"id": "445",
"attributes": {
"message": "Comment!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"signal": null,
"impact": null,
"reputation": null,
"bio": null,
"website": null,
"location": null,
"hackerone_triager": false
}
}
},
"attachments": {
"data": [
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "root.rb",
"content_type": "text/x-ruby",
"file_size": 2871
}
}
]
}
}
},
{
"id": "1337",
"type": "activity-bug-resolved",
"attributes": {
"message": "Bug Resolved!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
]
},
"bounties": {
"data": []
},
"summaries": {
"data": []
},
"triggered_pre_submission_trigger": {
"data": {
"id": "1337",
"type": "trigger",
"attributes": {
"title": "Example Trigger"
}
}
},
"custom_field_values": {
"data": []
},
"automated_remediation_guidance": {
"data": {
"id": "1",
"type": "automated-remediation-guidance",
"attributes": {
"reference": "https://cwe.mitre.org/data/definitions/120.html",
"created_at": "2020-10-23T12:09:37.859Z"
}
}
},
"custom_remediation_guidance": {
"data": {
"id": "84",
"type": "custom-remediation-guidance",
"attributes": {
"message": "Check buffer boundaries if accessing the buffer in a loop and make sure you are not in danger of writing past the allocated space.",
"created_at": "2020-10-26T08:47:23.296Z"
},
"relationships": {
"author": {
"data": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api-example-2",
"name": "API Example 2",
"disabled": false,
"created_at": "2020-10-22T011:22:05.402Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
}
}
}
}
GET /hackers/reports/{id}
A report object can be fetched by sending a GET request to a unique report object.
In case the request was successful, the API will respond with a
report object.
The following report relationships are included: reporter, assignee (a user or group), program, weakness, severity, bounties, swag,activities, attachments, structured scope and summaries.
NOTE
vulnerability_information will only be included in the response if the hacker owns the report being viewed.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
Balance
Get Balance
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/payments/balance" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/hackers/payments/balance',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/hackers/payments/balance',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/payments/balance");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/payments/balance',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/payments/balance", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
balance found
{
"data": {
"balance": 105
}
}
GET /hackers/payments/balance
This API endpoint allows you to query your balance.
Earnings
Get Earnings
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/payments/earnings" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/hackers/payments/earnings',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/hackers/payments/earnings',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/payments/earnings");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/payments/earnings',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/payments/earnings", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
earnings found
{
"data": [
{
"id": "1",
"type": "earning-bounty-earned",
"attributes": {
"amount": 150,
"created_at": "2015-02-02T04:05:06.000Z"
},
"relationships": {
"program": {
"data": {
"id": "9",
"type": "program",
"attributes": {
"handle": "acme",
"name": "Acme",
"currency": null,
"profile_picture": null,
"submission_state": null,
"triage_active": null,
"state": null,
"started_accepting_at": null,
"number_of_reports_for_user": null,
"number_of_valid_reports_for_user": null,
"bounty_earned_for_user": null,
"last_invitation_accepted_at_for_user": null,
"bookmarked": null,
"allows_bounty_splitting": null
}
}
},
"bounty": {
"data": {
"id": "123",
"type": "bounty",
"attributes": {
"amount": "150.00",
"bonus_amount": "0.00",
"awarded_amount": "150.00",
"awarded_bonus_amount": "0.00",
"awarded_currency": "USD",
"created_at": "2015-02-02T04:05:06.000Z"
},
"relationships": {
"report": {
"data": {
"id": "123",
"type": "report",
"attributes": {
"title": "Great bounty",
"state": "resolved",
"created_at": "2015-02-02T04:05:06.000Z",
"vulnerability_information": "Vuln information",
"triaged_at": null,
"closed_at": "2015-02-02T04:05:06.000Z",
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"reporter_agreed_on_going_public_at": null,
"last_public_activity_at": null,
"last_activity_at": null
}
}
}
}
}
}
}
}
],
"links": {}
}
GET /hackers/payments/earnings
This API endpoint allows you to query a paginated list of earning objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Payouts
Get Payouts
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/payments/payouts" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/hackers/payments/payouts',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/hackers/payments/payouts',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/payments/payouts");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/payments/payouts',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/payments/payouts", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
earnings found
{
"data": [
{
"amount": 100,
"paid_out_at": "2016-02-02T04:05:06.000Z",
"reference": "<reference>",
"payout_provider": "PayPal",
"status": "sent"
}
],
"links": {}
}
GET /hackers/payments/payouts
This API endpoint allows you to query a paginated list of payout objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Programs
Get Structured Scopes
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/programs/{handle}/structured_scopes" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/hackers/programs/{handle}/structured_scopes',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/hackers/programs/{handle}/structured_scopes',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/programs/{handle}/structured_scopes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/programs/{handle}/structured_scopes',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/programs/{handle}/structured_scopes", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
structured scopes found
{
"data": [
{
"id": "<id>",
"type": "structured-scope",
"attributes": {
"asset_type": "URL",
"asset_identifier": "https://api.hackerone.com",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "This is our API",
"max_severity": "critical",
"created_at": "<date>",
"updated_at": "<date>",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high"
}
}
],
"links": {
"self": "http://api.test.host/v1/hackers/programs/acme/structured_scopes?page%5Bsize%5D=1",
"next": "http://api.test.host/v1/hackers/programs/acme/structured_scopes?page%5Bnumber%5D=2&page%5Bsize%5D=1",
"last": "http://api.test.host/v1/hackers/programs/acme/structured_scopes?page%5Bnumber%5D=3&page%5Bsize%5D=1"
}
}
GET /hackers/programs/{handle}/structured_scopes
The Structured Scopes endpoint enables you to retrieve a list of all structured_scopes of the program.
Structured Scopes can be fetched by sending a GET request to the structured_scopes endpoint. When the request is successful, the API will respond with paginated structured_scope objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| handle | path | string | true | The handle of the program. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Weaknesses
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/programs/{handle}/weaknesses" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/hackers/programs/{handle}/weaknesses',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/hackers/programs/{handle}/weaknesses',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/programs/{handle}/weaknesses");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/programs/{handle}/weaknesses',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/programs/{handle}/weaknesses", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
weaknesses found
{
"data": [
{
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"created_at": "2016-02-02T04:05:06.000Z",
"external_id": "cwe-352"
}
},
{
"id": "1338",
"type": "weakness",
"attributes": {
"name": "SQL Injection",
"description": "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.",
"created_at": "2016-03-02T04:05:06.000Z",
"external_id": "cwe-89"
}
}
],
"links": {}
}
GET /hackers/programs/{handle}/weaknesses
The Weakness endpoint enables you to retrieve a list of all weaknesses of the program.
Weaknesses can be fetched by sending a GET request to the weaknesses endpoint. When the request is successful, the API will respond with paginated weakness objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| handle | path | string | true | The handle of the program. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Programs
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/programs" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/hackers/programs',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/hackers/programs',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/programs");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/programs',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/programs", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
programs found
{
"data": [
{
"id": 9,
"type": "program",
"attributes": {
"handle": "acme",
"name": "acme",
"currency": "usd",
"policy": "acme's program policy.",
"profile_picture": "/assets/global-elements/add-team.png",
"submission_state": "open",
"triage_active": null,
"state": "public_mode",
"started_accepting_at": null,
"number_of_reports_for_user": 0,
"number_of_valid_reports_for_user": 0,
"bounty_earned_for_user": 0,
"last_invitation_accepted_at_for_user": null,
"bookmarked": false,
"allows_bounty_splitting": false,
"offers_bounties": true,
"open_scope": true,
"fast_payments": true,
"gold_standard_safe_harbor": false
}
}
],
"links": {}
}
GET /hackers/programs
This API endpoint allows you to query a paginated list of program objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Program
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/programs/{handle}" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/hackers/programs/{handle}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/hackers/programs/{handle}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/programs/{handle}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/programs/{handle}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/programs/{handle}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
program found
{
"data": {
"id": 9,
"type": "program",
"attributes": {
"handle": "acme",
"name": "acme",
"currency": "usd",
"policy": "acme's program policy.",
"profile_picture": "/assets/global-elements/add-team.png",
"submission_state": "open",
"triage_active": null,
"state": "public_mode",
"started_accepting_at": null,
"number_of_reports_for_user": 0,
"number_of_valid_reports_for_user": 0,
"bounty_earned_for_user": 0,
"last_invitation_accepted_at_for_user": null,
"bookmarked": false,
"allows_bounty_splitting": false,
"offers_bounties": true,
"open_scope": true,
"fast_payments": true,
"gold_standard_safe_harbor": false
},
"relationships": {
"structured_scopes": {
"data": []
}
}
}
}
GET /hackers/programs/{handle}
A program object can be fetched by sending a GET request to a unique program object. When the request is successful, the API will respond with a program object.
NOTE
If you want to fetch all structured_scopes for a program you can use get structured scopes API endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| handle | path | string | true | The handle of the program. Find the program handle by fetching your programs |
Report Intents
Get Report Intent Attachments
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
attachments retrieved
{
"data": [
{
"id": "9",
"type": "attachment",
"attributes": {
"expiring_url": "https://hackerone.com/url/to/attachment",
"created_at": "2025-09-25T13:01:28.293Z",
"file_name": "attachment1.png",
"content_type": "image/png",
"file_size": 13808
}
},
{
"id": "10",
"type": "attachment",
"attributes": {
"expiring_url": "https://hackerone.com/url/to/attachment",
"created_at": "2025-09-25T13:01:29.084Z",
"file_name": "attachment2.png",
"content_type": "image/png",
"file_size": 13808
}
}
]
}
report intent not found
{
"errors": [
{
"status": 404,
"detail": "Report Intent not found"
}
]
}
GET /hackers/report_intents/{report_intent_id}/attachments
Retrieve all attachments associated with a specific report intent.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| report_intent_id | path | integer | true | The ID of the report intent. |
Upload Report Intent Attachments
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: multipart/form-data' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"files[]": [
"string"
]
}
EOD
import requests
headers = {
'Content-Type': 'multipart/form-data',
'Accept': 'application/json'
}
data = {
"files[]": [
"string"
]
}
r = requests.post(
'https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'multipart/form-data',
'Accept' => 'application/json'
}
data = {
"files[]": [
"string"
]
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"files[]\": [\n \"string\"\n ]\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"files[]\": [\n \"string\"\n ]\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'multipart/form-data'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"multipart/form-data"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"files[]\": [\n \"string\"\n ]\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
attachments uploaded
{
"data": {
"id": "9",
"type": "attachment",
"attributes": {
"expiring_url": "https://hackerone.com/url/to/attachment",
"created_at": "2025-09-25T13:01:28.293Z",
"file_name": "attachment1.png",
"content_type": "image/png",
"file_size": 13808
}
}
}
POST /hackers/report_intents/{report_intent_id}/attachments
Upload one or more attachments to a report intent. Attachments can include screenshots,
logs, or other supporting materials that help demonstrate the vulnerability.
Use the files[] form data parameter to upload multiple files in a single request. Each file
should be included as a separate entry in the files[] array.
The uploaded files will be processed and associated with the report intent. When the
report intent is eventually submitted as a vulnerability report, these attachments
will be included.
Note: Report intents must be in an editable state (not submitted) to accept new attachments.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| files[] | body | [string] | false | Array of files to upload. Note that this needs to be sent as part of the form data, not as JSON in the request body. |
| report_intent_id | path | integer | true | The ID of the report intent. |
Delete Report Intent Attachment
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments/{id}" \
-X DELETE \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :delete,
url: 'https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments/{id}',
{
method: 'DELETE',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/hackers/report_intents/{report_intent_id}/attachments/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
attachment deleted
{
"data": [
{
"id": "10",
"type": "attachment",
"attributes": {
"expiring_url": "https://hackerone.com/url/to/attachment",
"created_at": "2025-09-25T13:01:29.084Z",
"file_name": "attachment2.png",
"content_type": "image/png",
"file_size": 13808
}
}
]
}
report intent not found
{
"errors": [
{
"status": 404,
"detail": "Report Intent not found"
}
]
}
DELETE /hackers/report_intents/{report_intent_id}/attachments/{id}
Delete a specific attachment from a report intent. This action is irreversible.
Only the author of the report intent can delete attachments, and only if the report intent has not been submitted yet.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| report_intent_id | path | integer | true | The ID of the report intent. |
| id | path | integer | true | The ID of the attachment to delete. |
Get Report Intents
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/report_intents" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/hackers/report_intents',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/hackers/report_intents',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/report_intents");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/report_intents',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/report_intents", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
report intents retrieved
{
"data": [
{
"id": "23",
"type": "report-intent",
"attributes": {
"title": "IDOR vulnerability allowing unauthorized access to user data",
"description": "## Summary:\nFound IDOR (Insecure Direct Object Reference) vulnerability allowing access to other users' data.\n\n## Steps To Reproduce:\n[add details for how we can reproduce the issue]\n\n 1. [add step]\n 1. [add step]\n 1. [add step]\n\n## Supporting Material/References:\n[list any additional material (e.g. screenshots, logs, etc.)]\n\n * [attachment / reference]",
"state": "ready_to_submit",
"has_failing_jobs": true,
"job_status_by_type": {
"assistant_response": "succeeded",
"revise_intent": "succeeded",
"analyze_asset_type": "succeeded",
"analyze_vulnerability_presence": "failed",
"analyze_bug_type": "succeeded",
"extract_metadata": "succeeded",
"determine_asset": "failed",
"analyze_cif_cir": "succeeded",
"analyze_bug_class_completeness": "failed",
"assistant_summary": "succeeded"
},
"metadata": {
"bug_class": "Insecure Direct Object Reference (IDOR)",
"http_method": null,
"vulnerable_url": null,
"vulnerable_parameter": null
}
}
},
{
"id": "24",
"type": "report-intent",
"attributes": {
"title": "Reflected XSS in search functionality via search parameter leads to arbitrary JavaScript execution",
"description": "## Summary:\nCross-Site Scripting (XSS) vulnerability in the search parameter that allows for arbitrary JavaScript execution.\n\n## Steps To Reproduce:\n1. Navigate to the search functionality\n2. Enter the payload `<script>alert(1)</script>` into the search parameter\n3. Submit the search query\n4. Observe that the JavaScript executes, displaying an alert box with the number \"1\"\n\n## Supporting Material/References:\n* No additional materials provided",
"state": "ready_to_submit",
"has_failing_jobs": true,
"job_status_by_type": {
"assistant_response": "succeeded",
"revise_intent": "succeeded",
"analyze_asset_type": "succeeded",
"analyze_vulnerability_presence": "succeeded",
"analyze_bug_type": "succeeded",
"extract_metadata": "succeeded",
"determine_asset": "failed",
"analyze_cif_cir": "succeeded",
"analyze_bug_class_completeness": "failed",
"assistant_summary": "succeeded"
},
"metadata": {
"bug_class": "Reflected Cross-Site Scripting (XSS)",
"http_method": null,
"vulnerable_url": null,
"vulnerable_parameter": "search"
}
}
}
]
}
GET /hackers/report_intents
Retrieve a list of report intents created by the requester.
Create Report Intent
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/report_intents" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-intent",
"attributes": {
"team_handle": "security",
"description": "I found an XSS on hackerone.com, here are the reproduction steps:..."
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-intent",
"attributes": {
"team_handle": "security",
"description": "I found an XSS on hackerone.com, here are the reproduction steps:..."
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/hackers/report_intents',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-intent",
"attributes": {
"team_handle": "security",
"description": "I found an XSS on hackerone.com, here are the reproduction steps:..."
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/hackers/report_intents',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/report_intents");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-intent\",\n \"attributes\": {\n \"team_handle\": \"security\",\n \"description\": \"I found an XSS on hackerone.com, here are the reproduction steps:...\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-intent\",\n \"attributes\": {\n \"team_handle\": \"security\",\n \"description\": \"I found an XSS on hackerone.com, here are the reproduction steps:...\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/report_intents',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-intent\",\n \"attributes\": {\n \"team_handle\": \"security\",\n \"description\": \"I found an XSS on hackerone.com, here are the reproduction steps:...\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/hackers/report_intents", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
report intent created
{
"data": {
"id": "25",
"type": "report-intent",
"attributes": {
"title": "Report Intent #25",
"description": "Your vulnerability description here",
"state": "pending",
"has_failing_jobs": false,
"job_status_by_type": {
"assistant_response": "pending"
},
"metadata": {}
}
}
}
POST /hackers/report_intents
Create an initial report intent. Use the "Get Report Intent" endpoint to poll the report intent until all pipelines have completed.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| data | body | object | true | none |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» team_handle | body | string | true | Program team handle to submit this report to. This team needs to enable Report Assistant. |
| »» description | body | string | true | Any details you have about the vulnerability. The more details you provide, the better the AI can assist you. |
Get Report Intent
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/report_intents/{id}" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/hackers/report_intents/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/hackers/report_intents/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/report_intents/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/report_intents/{id}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hackers/report_intents/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
report intent retrieved
{
"data": {
"id": "25",
"type": "report-intent",
"attributes": {
"title": "Reflected XSS in search functionality via search parameter leads to arbitrary JavaScript execution",
"description": "## Summary:\nCross-Site Scripting (XSS) vulnerability in the search parameter that allows for arbitrary JavaScript execution.\n\n## Steps To Reproduce:\n1. Navigate to the search functionality\n2. Enter the payload `<script>alert(1)</script>` into the search parameter\n3. Submit the search query\n4. Observe that the JavaScript executes, displaying an alert box with the number \"1\"\n\n## Supporting Material/References:\n* No additional materials provided",
"state": "ready_to_submit",
"has_failing_jobs": true,
"job_status_by_type": {
"assistant_response": "succeeded",
"revise_intent": "succeeded",
"analyze_asset_type": "succeeded",
"analyze_vulnerability_presence": "succeeded",
"analyze_bug_type": "succeeded",
"extract_metadata": "succeeded",
"determine_asset": "failed",
"analyze_cif_cir": "succeeded",
"analyze_bug_class_completeness": "failed",
"assistant_summary": "succeeded"
},
"metadata": {
"bug_class": "Reflected Cross-Site Scripting (XSS)",
"http_method": null,
"vulnerable_url": null,
"vulnerable_parameter": "search"
}
}
}
}
report intent not found
{
"errors": [
{
"status": 404,
"detail": "Report Intent not found"
}
]
}
GET /hackers/report_intents/{id}
Retrieve a specific report intent by ID.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | string | true | Report Intent ID |
Update Report Intent
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/report_intents/{id}" \
-X PATCH \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-intent",
"attributes": {
"description": "I found an XSS on hackerone.com, here are the reproduction steps:..."
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-intent",
"attributes": {
"description": "I found an XSS on hackerone.com, here are the reproduction steps:..."
}
}
}
r = requests.patch(
'https://api.hackerone.com/v1/hackers/report_intents/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-intent",
"attributes": {
"description": "I found an XSS on hackerone.com, here are the reproduction steps:..."
}
}
}
result = RestClient::Request.execute(
method: :patch,
url: 'https://api.hackerone.com/v1/hackers/report_intents/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/report_intents/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PATCH");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-intent\",\n \"attributes\": {\n \"description\": \"I found an XSS on hackerone.com, here are the reproduction steps:...\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-intent\",\n \"attributes\": {\n \"description\": \"I found an XSS on hackerone.com, here are the reproduction steps:...\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/report_intents/{id}',
{
method: 'PATCH',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-intent\",\n \"attributes\": {\n \"description\": \"I found an XSS on hackerone.com, here are the reproduction steps:...\"\n }\n }\n}"`))
req, err := http.NewRequest("PATCH", "https://api.hackerone.com/v1/hackers/report_intents/{id}", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
report intent updated
{
"data": {
"id": "26",
"type": "report-intent",
"attributes": {
"title": "Original XSS Report",
"description": "Updated description with more details about the XSS vulnerability",
"state": "draft",
"has_failing_jobs": false,
"job_status_by_type": {
"assistant_response": "pending"
},
"metadata": {}
}
}
}
PATCH /hackers/report_intents/{id}
Update a report intent's description.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| data | body | object | true | none |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» description | body | string | true | Any details you have about the vulnerability. The more details you provide, the better the AI can assist you. |
| id | path | string | true | Report Intent ID |
Delete Report Intent
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/report_intents/{id}" \
-X DELETE \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'https://api.hackerone.com/v1/hackers/report_intents/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :delete,
url: 'https://api.hackerone.com/v1/hackers/report_intents/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/report_intents/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/report_intents/{id}',
{
method: 'DELETE',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/hackers/report_intents/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
report intent deleted
{
"data": {
"id": "27",
"type": "report-intent",
"attributes": {
"title": "Report to be deleted",
"description": "This report will be deleted",
"state": "draft",
"has_failing_jobs": false,
"job_status_by_type": {
"assistant_response": "pending"
},
"metadata": {}
}
}
}
DELETE /hackers/report_intents/{id}
Delete a report intent. This action is irreversible.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | string | true | Report Intent ID |
Submit Report Intent
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hackers/report_intents/{id}/submit" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.post(
'https://api.hackerone.com/v1/hackers/report_intents/{id}/submit',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/hackers/report_intents/{id}/submit',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hackers/report_intents/{id}/submit");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hackers/report_intents/{id}/submit',
{
method: 'POST',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/hackers/report_intents/{id}/submit", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
report intent submitted
{
"data": {
"id": "28",
"type": "report-intent",
"attributes": {
"title": "XSS vulnerability ready for submission",
"description": "Complete XSS vulnerability report ready to submit",
"state": "submitted",
"has_failing_jobs": false,
"job_status_by_type": {
"assistant_response": "succeeded",
"revise_intent": "succeeded",
"analyze_asset_type": "succeeded",
"analyze_vulnerability_presence": "succeeded",
"analyze_bug_type": "succeeded",
"extract_metadata": "succeeded",
"determine_asset": "succeeded",
"analyze_cif_cir": "succeeded",
"analyze_bug_class_completeness": "succeeded",
"assistant_summary": "succeeded"
},
"metadata": {
"bug_class": "Reflected Cross-Site Scripting (XSS)",
"http_method": "GET",
"vulnerable_url": "https://example.com/search",
"vulnerable_parameter": "q"
}
}
}
}
POST /hackers/report_intents/{id}/submit
Submit a report intent to convert it into an actual vulnerability report. The report intent must be in a "ready_to_submit" state to be submitted successfully.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | string | true | Report Intent ID |