Skip to main content

Pikachu, I choose you: Assign users with HackerOne API

  • September 26th , 2016

Today, we’re taking the next step towards a better integration with your existing tools. Now teams can assign reports to team members using the API. Last June, we launched the first version of our API and are continuing to add integrations based on your feedback.

The documentation on how to assign a report can be found here. We also introduced a new top level resource: Programs. This resource enables you to query existing groups and team members of your program. Keep reading to learn how HackerOne customers use these APIs to optimize their workflow.

Common use case 1: Assign incoming reports to on-call person

Multiple customers that run their bug bounty program on HackerOne use PagerDuty or similar tools to share responsibilities. When a new HackerOne submission comes in, the on-call tool (i.e., PagerDuty API) can be used to fetch the current on-call and assign the report directly. This enables quicker response times and eliminates disruption of other team members.

Common use case 2: Reflecting internal ticket status in HackerOne

A disconnect between the engineering team and the security team can cause delays in the security team following up with the hacker when a vulnerability is fixed. With the new APIs, it’s now possible to automatically assign a HackerOne report back to the security team to follow up after an internal ticket has been closed. Automating part of this workflow results in more engaged hackers and less overhead handling tickets in multiple systems.

Here’s a code example written in Ruby to demonstrate how the new APIs can work together:

require 'httparty'

basic_auth = {
  username: '<API username>',
  password: '<API token>',
}
program_name = '<Program handle>'

# Fetch all `New` reports
reports = HTTParty.get 'https://api.hackerone.com/v1/reports',
  query: {
    filter: {
      program: [program_name],
      state: ['new'],
    },
  },
  basic_auth: basic_auth

if reports['data'].empty?
  puts 'No reports to assign, exiting.'
  exit
end

# Assign all reports
reports['data'].each do |report|
  # Ignore the report in case it's already assigned
  next if report['relationships']['assignee']

  # Fetch program data
  program_url = "https://api.hackerone.com/v1/programs/#{report['relationships']['program']['data']['id']}"

  @program_data ||= HTTParty.get program_url,
    basic_auth: basic_auth

  # Select the group with name Triagers
  triage_group = program_data['data']['relationships']['groups']['data'].select do |group|
    group['attributes']['name'] == 'Triagers'
  end.first

  puts "Assigning group \"#{triage_group['attributes']['name']}\" to report ID #{report['id']}."
  # Assign the group to the unassigned report
  HTTParty.put "https://api.hackerone.com/v1/reports/#{report['id']}/assignee",
    body: { data: triage_group },
    basic_auth: basic_auth
end

What’s next on our API roadmap?

Based on your feedback, these are the API features that we’ll work on next: change the state of a report, communicate activity to hackers, and a push API.

Do you have feedback or suggestions for HackerOne? Let us know at feedback@hackerone.com.

Jobert Abma

Recent articles

H1-415 Hackathon Delivers to Customers, Community, and Hackers

Just a few short weeks ago, an elite group of hackers huddled in conference rooms in a San Francisco high-rise…

Introducing CWE-based Weaknesses

HackerOne updated their vulnerability taxonomy to include a more complete weakness suite based on the industry-…

Intel launches its first bug bounty program

Our friends at Intel have an exciting announcement! Their bug bounty program is live.