Home > Blog > Pikachu, I choose you: Assign users with HackerOne API

Pikachu, I choose you: Assign users with HackerOne API

 |  HackerOne

Today, we’re taking the next step towards a better integration with your existing tools. Now teams can assign reports to team members using the API. Last June, we launched the first version of our API and are continuing to add integrations based on your feedback.

The documentation on how to assign a report can be found here. We also introduced a new top level resource: Programs. This resource enables you to query existing groups and team members of your program. Keep reading to learn how HackerOne customers use these APIs to optimize their workflow.

Common use case 1: Assign incoming reports to on-call person

Multiple customers that run their bug bounty program on HackerOne use PagerDuty or similar tools to share responsibilities. When a new HackerOne submission comes in, the on-call tool (i.e., PagerDuty API) can be used to fetch the current on-call and assign the report directly. This enables quicker response times and eliminates disruption of other team members.

Common use case 2: Reflecting internal ticket status in HackerOne

A disconnect between the engineering team and the security team can cause delays in the security team following up with the hacker when a vulnerability is fixed. With the new APIs, it’s now possible to automatically assign a HackerOne report back to the security team to follow up after an internal ticket has been closed. Automating part of this workflow results in more engaged hackers and less overhead handling tickets in multiple systems.

Here’s a code example written in Ruby to demonstrate how the new APIs can work together:

require 'httparty'

basic_auth = {
  username: '<API username>',
  password: '<API token>',
program_name = '<Program handle>'

# Fetch all `New` reports
reports = HTTParty.get 'https://api.hackerone.com/v1/reports',
  query: {
    filter: {
      program: [program_name],
      state: ['new'],
  basic_auth: basic_auth

if reports['data'].empty?
  puts 'No reports to assign, exiting.'

# Assign all reports
reports['data'].each do |report|
  # Ignore the report in case it's already assigned
  next if report['relationships']['assignee']

  # Fetch program data
  program_url = "https://api.hackerone.com/v1/programs/#{report['relationships']['program']['data']['id']}"

  @program_data ||= HTTParty.get program_url,
    basic_auth: basic_auth

  # Select the group with name Triagers
  triage_group = program_data['data']['relationships']['groups']['data'].select do |group|
    group['attributes']['name'] == 'Triagers'

  puts "Assigning group \"#{triage_group['attributes']['name']}\" to report ID #{report['id']}."
  # Assign the group to the unassigned report
  HTTParty.put "https://api.hackerone.com/v1/reports/#{report['id']}/assignee",
    body: { data: triage_group },
    basic_auth: basic_auth

What’s next on our API roadmap?

Based on your feedback, these are the API features that we’ll work on next: change the state of a report, communicate activity to hackers, and a push API.

Do you have feedback or suggestions for HackerOne? Let us know at feedback@hackerone.com.

Jobert Abma



HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.