Skip to main content
Company News, New Features

API Update Announcement: Report State Changes and Submission Comments

API Update Announcement: Report State Changes and Submission Comments

Communication is one of the keys to success in running a bug bounty program. From facilitating more than 650 bug bounty programs, we've learned that an internal communication breakdown can cause a variety of issues.

Today, we’re announcing an update to the HackerOne API with some slick new communication features.

Now, all Pro and Enterprise subscribers have the ability to change the state of HackerOne reports and post comments on submissions. These helpful features can make your bug bounty program significantly more successful.

It’s our vision that software developers should be included in the resolution of a security vulnerability as much as possible. The benefits here are clear:

  • Educate oneself to become a better developer,
  • Interaction with the hacker community to get to know each other, and
  • Faster turnaround.

The new APIs are key to making this happen.


The use case we optimized for here is straightforward: allowing you to connect your internal workflow with HackerOne to reduce management overhead.

For example, automatically reflecting that a fix has been deployed to your production environment and that it’s ready to be retested. Another great utility is to automatically mark a HackerOne report as resolved when the internal ticket has been marked as resolved. So if you use JIRA, for instance, you mark the ticket as complete on your end and the researcher on HackerOne will see this:

Screenshot of State Change Feature

Transparent, consistent communication = happy hackers. AND less time for your team to respond to status questions.


Posting comments is a great way to keep the finder of the report in the loop when tickets in an internal system change state.

One of the use cases outlined in the documentation, is to post a comment to the original finder to retest the vulnerability when a fix has been deployed.

Screenshot of Comment Feature

This provides a contextual thread to close the loop of that vulnerability. No second guessing, no extra steps required.

Stay tuned

We’ll keep building new, helpful features for you to manage your bug bounty program effectively and empower your success.

We’re very excited about the latest additions and hope you are too. Please reach out if you have any feedback or thoughts about the direction of our API. We’re always accessible via email at and if you'd like to get access to this new API feature, hit us up at!

Jobert Abma
HackerOne co-founder

ps - Want to read about how a Senior Security Engineering Manager at Uber approaches bug bounties? Read Collin Greene’s article on our blog.



HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.