Skip to main content

API Update Announcement: Report State Changes and Submission Comments

  • November 10th , 2016

Communication is one of the keys to success in running a bug bounty program. From facilitating more than 650 bug bounty programs, we've learned that an internal communication breakdown can cause a variety of issues.

Today, we’re announcing an update to the HackerOne API with some slick new communication features.

Now, all Pro and Enterprise subscribers have the ability to change the state of HackerOne reports and post comments on submissions. These helpful features can make your bug bounty program significantly more successful.

It’s our vision that software developers should be included in the resolution of a security vulnerability as much as possible. The benefits here are clear:

  • Educate oneself to become a better developer,
  • Interaction with the hacker community to get to know each other, and
  • Faster turnaround.

The new APIs are key to making this happen.

/reports/state_changes

The use case we optimized for here is straightforward: allowing you to connect your internal workflow with HackerOne to reduce management overhead.

For example, automatically reflecting that a fix has been deployed to your production environment and that it’s ready to be retested. Another great utility is to automatically mark a HackerOne report as resolved when the internal ticket has been marked as resolved. So if you use JIRA, for instance, you mark the ticket as complete on your end and the researcher on HackerOne will see this:

Screenshot of State Change Feature

Transparent, consistent communication = happy hackers. AND less time for your team to respond to status questions.

/reports/comments

Posting comments is a great way to keep the finder of the report in the loop when tickets in an internal system change state.

One of the use cases outlined in the documentation, is to post a comment to the original finder to retest the vulnerability when a fix has been deployed.

Screenshot of Comment Feature

This provides a contextual thread to close the loop of that vulnerability. No second guessing, no extra steps required.

Stay tuned

We’ll keep building new, helpful features for you to manage your bug bounty program effectively and empower your success.

We’re very excited about the latest additions and hope you are too. Please reach out if you have any feedback or thoughts about the direction of our API. We’re always accessible via email at feedback@hackerone.com and if you'd like to get access to this new API feature, hit us up at sales@hackerone.com!

Jobert Abma
HackerOne co-founder

ps - Want to read about how a Senior Security Engineering Manager at Uber approaches bug bounties? Read Collin Greene’s article on our blog.

Recent articles

Zero Daily Newsletter: Fun, yet informative, AppSec, bug bounty, and hacker news

Read the news every day, and check the usual websites? Want to get your industry news and have a little humor…

More Hardware, More Problems

Bounties are for hardware, too. Microwaves notwithstanding, there is an increasing amount of connected…

Bug fixes just got a little easier; HackerOne introduces bi-directional JIRA integration

It’s now possible to view updates on JIRA issues right inside your HackerOne Reports. The two-way integration…