HackerOne Integration for Elastic

The HackerOne integration brings your bug bounty and vulnerability disclosure reports into Elastic Security. Use it to monitor submissions from security researchers, track report status, and analyze vulnerability data alongside your other security tools.

The integration checks HackerOne on a schedule you choose and pulls in new or updated reports. After the first run, it only collects reports that changed since the last check, so you stay up to date without duplicate data.

This integration works with the HackerOne Customer API. You need an organization API token from a Professional, Community, or Enterprise program. You can also use the free Sandbox program to test the integration.

On each scheduled run, the integration:

1. Connects to HackerOne using your API token.
2. Fetches reports for the programs or inboxes you specify.
3. Sends each report to Elasticsearch for search, dashboards, and alerting.

When a report is updated in HackerOne (for example, triaged or resolved), the integration picks up the change on the next run.

Each report includes details such as:

• Status and timeline — when the report was created, triaged, closed, disclosed, and last updated.
• Vulnerability details — title, description, severity rating, CVSS score, weakness type, and CVE IDs when available.
• People involved — the researcher who submitted the report, assignee, program, and collaborators.
• Scope and rewards — the affected asset, bounty and swag awards, attachments, and remediation guidance.

• Monitor vulnerability disclosure programs from a single place in Elastic Security.
• Build SLA dashboards using response-time and resolution-time metrics.
• Track bounty spending across programs.

Before you install the integration, gather the following from your HackerOne organization:

1. API access. API tokens are available on Professional, Community, and Enterprise programs. Use the free Sandbox program for testing.
2. An organization API token with Report management permission. As an Organization Administrator, go to Organization Settings → API Tokens to create one. Save both the identifier and the value when the token is created — the value is shown only once.
3. At least one program handle or inbox ID to tell the integration which reports to collect.
   • Program handle — the name in your program URL: https://hackerone.com/<handle> (for example, acme).
   • Inbox ID — the numeric ID from your inbox settings page URL.
4. (Optional) IP allowlist entry — if your organization restricts API access by IP, add the outbound IP address of the Elastic Agent host.

Elastic Agent must be installed. For more details, check the Elastic Agent installation instructions. You can install only one Elastic Agent per host.

1. In Kibana, go to Integrations and search for HackerOne.
2. Click Add HackerOne.
3. Fill in the required settings:
   • URL — HackerOne API address (default: https://api.hackerone.com).
   • API token identifier — the identifier from your API token.
   • API token value — the secret value from your API token.
   • Program handles and/or Inbox IDs — at least one is required.
   • Interval — how often to check for new reports (default: every 5 minutes).
   • Initial lookback — how far back to fetch reports on the first run (default: 24 hours).
   • Page size — number of reports retrieved per request (default: 100).
4. Optionally narrow what is collected with State filter and Severity filter.
5. Save the integration policy and assign it to an Elastic Agent policy.

After the integration is running, open Discover in Kibana and search for event.dataset: "hackerone.report". You should see reports within one polling interval (default: 5 minutes) after they are created or updated in HackerOne.

For help with Elastic ingest tools, check Common problems.

• 401 Unauthorized — The API token identifier or value is wrong. Make sure you entered the token identifier (not your email address) in the identifier field.
• 403 Forbidden — The token is valid, but access was denied. Check that the Elastic Agent's IP address is on your organization's allowlist, and that the token has access to the programs you configured.
• 429 Too Many Requests — HackerOne limits how many requests you can make per minute. Try increasing the polling interval or collecting fewer programs with a single agent.
• No documents indexed — Confirm that at least one Program handle or Inbox ID is set. The integration needs at least one to know which reports to collect.

For guidance on scaling data ingestion, see Ingest Architectures.

A single agent can handle many programs at the default 5-minute interval. If you set a long initial lookback (for example, 30 days or more), the first run may take longer while historical reports are collected.

The report data stream collects bug bounty reports from HackerOne. Each report is stored as one document. When a report is updated, a new document is indexed with the latest information.

{
    "@timestamp": "2026-05-06T15:00:00.000Z",
    "agent": {
        "ephemeral_id": "a7695a43-0306-48e8-914a-e238120f982e",
        "id": "fe486f40-745b-4d48-bf94-82c6afffb697",
        "name": "elastic-agent-10839",
        "type": "filebeat",
        "version": "9.4.1"
    },
    "data_stream": {
        "dataset": "hackerone.report",
        "namespace": "51555",
        "type": "logs"
    },
    "ecs": {
        "version": "9.3.0"
    },
    "elastic_agent": {
        "id": "fe486f40-745b-4d48-bf94-82c6afffb697",
        "snapshot": false,
        "version": "9.4.1"
    },
    "event": {
        "action": "report-triaged",
        "agent_id_status": "verified",
        "category": [
            "vulnerability"
        ],
        "created": "2026-05-06T15:00:00.000Z",
        "dataset": "hackerone.report",
        "end": "2026-05-06T15:00:00.000Z",
        "id": "1003",
        "ingested": "2026-05-25T09:09:22Z",
        "kind": "event",
        "module": "hackerone",
        "original": "{\"attributes\":{\"created_at\":\"2026-05-06T15:00:00.000Z\",\"cve_ids\":[],\"last_activity_at\":\"2026-05-06T15:00:00.000Z\",\"state\":\"triaged\",\"submitted_at\":\"2026-05-06T15:01:00.000Z\",\"title\":\"Second-page XSS example\",\"vulnerability_information\":\"Short stub description for tests.\"},\"id\":\"1003\",\"relationships\":{\"program\":{\"data\":{\"attributes\":{\"created_at\":\"2017-09-28T13:08:32.058Z\",\"handle\":\"acme\",\"updated_at\":\"2026-05-07T08:41:04.851Z\"},\"id\":\"9001\",\"type\":\"program\"}}},\"type\":\"report\"}",
        "outcome": "unknown",
        "start": "2026-05-06T15:00:00.000Z",
        "type": [
            "info"
        ],
        "url": "https://hackerone.com/reports/1003"
    },
    "hackerone": {
        "report": {
            "attributes": {
                "created_at": "2026-05-06T15:00:00.000Z",
                "last_activity_at": "2026-05-06T15:00:00.000Z",
                "state": "triaged",
                "submitted_at": "2026-05-06T15:01:00.000Z",
                "title": "Second-page XSS example"
            },
            "relationships": {
                "program": {
                    "data": {
                        "attributes": {
                            "created_at": "2017-09-28T13:08:32.058Z",
                            "updated_at": "2026-05-07T08:41:04.851Z"
                        },
                        "type": "program"
                    }
                }
            },
            "type": "report"
        }
    },
    "input": {
        "type": "cel"
    },
    "message": "Second-page XSS example",
    "observer": {
        "product": "HackerOne",
        "vendor": "HackerOne"
    },
    "organization": {
        "id": "9001",
        "name": "acme"
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "hackerone-report"
    ],
    "vulnerability": {
        "description": "Short stub description for tests.",
        "reference": "https://hackerone.com/reports/1003",
        "report_id": "1003",
        "scanner": {
            "vendor": "HackerOne"
        }
    }
}
		

• Description: Latest Reports from HackerOne. As reports get updated, this transform stores only the latest state of each report inside the destination index. The transform's destination index contains only the latest state of the report.
• Source Index: logs-hackerone.report-*
• Destination Index: logs-hackerone_latest.dest_report-v1

These inputs can be used with this integration:

To collect logs via API endpoint, configure the following parameters:

• API Endpoint URL
• API credentials (tokens, keys, or username/password)
• Request interval (how often to fetch data)

This integration uses the following HackerOne API endpoint:

• List reports — retrieves bug bounty reports for the programs or inboxes you configure.

This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.

×