HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers.
With HackerOne integrations users can manage remediation of vulnerabilities detected by bug bounty program in Vulcan unified risk view.
HackerOne integration is available via CSV export or API.
Using CSV file
In hackerOne
- Go to the HackerOne program -> Inbox -> All
- Click Down as CSV
In vulcan
- Go to Connectors -> Add a connector
- Choose HackerOne CSV
- Upload CSV file
Using API integration
- Go to HackerOne program follow instructions to Generate API token
- Don't need to select groups
- In vulcan go to Connectors -> add a Connector > Choose HackerOne
- Enter API credentials
HackerOne Assets
HackerOne programs are shown in the Vulcan as Website Assets, program information can be found in the asset details. some felids are mapped to vulcan fields according to the table below
HackerOne | Vulcan | Notes |
Reported To | Site Name | |
Asset | Pages | |
program type | Tag | Tag will be created for type |
HackerOne Vulnerabilities
HackerOne findings are shown in the vulnerabilities view by title as the vulnerability name, each vulnerability contains the report details
Severity - if CVSS is available it will be used for the as part of the risk calculation, otherwise for severity will be converted to a numerical score accordingly:
- Critical - 10
- High - 8
- Medium -5
- Low - 2
- None - 0
The following data will be mapped if available
HackerOne | Vulcan | Notes |
CVE ID | CVE | Used to match fixes |
Weakness | CWE | Used to match threats |
References | Vulnerability details |
Each Report state is mapped to the corresponding state in vulcan
HackerOne | Vulcan |
New | Vulnerable |
Triaged | Vulnerable |
Retesting | Vulnerable |
Needs More Info | Vulnerable |
Resolved | Fixed |
Informative | Ignored - risk acknowledged |
Duplicate | Ignored - False positive |
Not Applicable | Ignored - False positive |
Spam | Ignored - False positive |