Skip to main content

API Update Announcement: Report State Changes and Submission Comments

  • November 10th , 2016

Communication is one of the keys to success in running a bug bounty program. From facilitating more than 650 bug bounty programs, we've learned that an internal communication breakdown can cause a variety of issues.

Today, we’re announcing an update to the HackerOne API with some slick new communication features.

Now, all Pro and Enterprise subscribers have the ability to change the state of HackerOne reports and post comments on submissions. These helpful features can make your bug bounty program significantly more successful.

It’s our vision that software developers should be included in the resolution of a security vulnerability as much as possible. The benefits here are clear:

  • Educate oneself to become a better developer,
  • Interaction with the hacker community to get to know each other, and
  • Faster turnaround.

The new APIs are key to making this happen.

/reports/state_changes

The use case we optimized for here is straightforward: allowing you to connect your internal workflow with HackerOne to reduce management overhead.

For example, automatically reflecting that a fix has been deployed to your production environment and that it’s ready to be retested. Another great utility is to automatically mark a HackerOne report as resolved when the internal ticket has been marked as resolved. So if you use JIRA, for instance, you mark the ticket as complete on your end and the researcher on HackerOne will see this:

Screenshot of State Change Feature

Transparent, consistent communication = happy hackers. AND less time for your team to respond to status questions.

/reports/comments

Posting comments is a great way to keep the finder of the report in the loop when tickets in an internal system change state.

One of the use cases outlined in the documentation, is to post a comment to the original finder to retest the vulnerability when a fix has been deployed.

Screenshot of Comment Feature

This provides a contextual thread to close the loop of that vulnerability. No second guessing, no extra steps required.

Stay tuned

We’ll keep building new, helpful features for you to manage your bug bounty program effectively and empower your success.

We’re very excited about the latest additions and hope you are too. Please reach out if you have any feedback or thoughts about the direction of our API. We’re always accessible via email at feedback@hackerone.com and if you'd like to get access to this new API feature, hit us up at sales@hackerone.com!

Jobert Abma
HackerOne co-founder

ps - Want to read about how a Senior Security Engineering Manager at Uber approaches bug bounties? Read Collin Greene’s article on our blog.

Recent articles

H1-415 Hackathon Delivers to Customers, Community, and Hackers

Just a few short weeks ago, an elite group of hackers huddled in conference rooms in a San Francisco high-rise…

Introducing CWE-based Weaknesses

HackerOne updated their vulnerability taxonomy to include a more complete weakness suite based on the industry-…

Intel launches its first bug bounty program

Our friends at Intel have an exciting announcement! Their bug bounty program is live.