Overview
About HackerOne
HackerOne is a vulnerability coordinator and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers.
The HackerOne platform allows organizations to set their scope, track bug reports, and manage payouts from one location. When integrated with the Vulcan Platform, you can review Website vulnerabilities on your assets, while leveraging the power of Vulcan Cyber discoverability and automation. In this article, you will find how to connect, locate, and automate HackerOne with Vulcan Cyber.
Why integrating HackerOne into the Vulcan platform?
The HackerOne Connector by Vulcan integrates with the HackerOne platform to pull and ingest HackerOne website-type assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
HackerOne Connector details
The HackerOneconnector maps domains to websites.
Supported products | |
Category | Bug Bounty |
Ingested asset type(s) | Websites |
Integration type | UNI directional (data is transferred from HackerOne to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the connector, make sure you have the following:
Generating HackerOne API Identifier and Key
Go to your HackerOne console > Organization Settings tab > API Token
Generate an API Identifier and an API token following the instructions here
Note: When you create the API identifier, there is no need to assign the API identifier and Token to a group as this is a read-only user.
Configuring the HackerOne Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the HackerOne icon.
Set up the connector as follows:
Enter the API Identifier and API Key generated earlier
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your HackerOne instance, then click Create (or Save Changes).
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log.
To confirm the sync is complete, navigate to the Connectors tab to check the sync status. Once the HackerOne icon shows Connected, the connection is complete.
HackerOne in the Vulcan Platform
Locating HackerOne vulnerabilities in the Vulcan Platform
As HackerOne discovers vulnerabilities, the Vulcan Platform Connector imports those vulnerabilities for reporting and action. You can view vulnerabilities via Connector by using the relevant filter:
Open the Vulcan Platform dashboard and navigate to the Vulnerabilities.
Click on the Search or filter vulnerabilities search box, scroll to the Vulnerability Source option, and click to filter by the vulnerability source.
Locate HackerOne on the vulnerability source/Connector list and click to filter results.
Click on any vulnerability to view further information.
Locating HackerOne website assets in the Vulcan Platform
To locate all retrieved Website assets from HackerOne:
Open the Vulcan Cyber dashboard and navigate to Assets.
Click on the Websites tab.
Click on the Search or filter websites input box and select Connector from the drop-down selection.
Locate the HackerOne option to view all synced assets.
Automating actions on vulnerabilities detected by HackerOne
Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. Take advantage of the automation capabilities of Vulcan Cyber and the HackerOne Connector.
Click here to learn how to create automation in the Vulcan Cyber Platform.
From HackerOne to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with Hackerone through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields. HackerOne Domains are mapped into Vulcan Websites. Each HackerOne report is mapped into a vulnerability instance in Vulcan.
Websites mapping
Hackerone field | Vulcan field |
| Asset Uniqueness criteria |
| Asset Name |
| Asset Details |
| Asset type |
| Address |
| Created date |
| Last seen date |
| Tags - Vendor’s tags |
report id | Vulnerability uniqueness criteria |
| Vulnerability Title |
| Vulnerability Description |
| Vulnerability Details |
| CVSS |
| CVE/S |
| CWE |
| Asset-Vulnerability connection uniqueness criteria |
| First Seen |
| Last Seen |
| Status |
| Info tool tip (from Assets screen) |
Vulnerability status mapping
HackerOne Status | Vulcan Status |
pre-submission, new, pending-program-review, triaged, retesting, needs-more-info, informative | Vulnerable |
resolved | Fixed |
spam duplicate | Ignored - False Positive |
not-applicable | Ignored - Risk Acknowledged |
Vulnerability score mapping
HackerOne score | Vulcan score |
Critical | 10 |
High | 7 |
Medium | 5 |
Low | 3 |
none | 0 |
Update Mechanisms
Status update mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any were added).
The table below describes how the status update mechanism works in the HackerOne connector for the vulnerabilities and assets in the Vulcan Platform.
Update type | Mechanism |
Archiving Assets | An asset not found on the connector's last sync is archived and no longer presented on the Vulcan platform. |
Change of vulnerability instances status from "Vulnerable" to "Fixed" | - When the vulnerability status on the vendor changes to "resolved" |
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only when the next scheduled sync completes.
API
API Endpoints in use
API Endpoint | Use in Vulcan | Permissions required |
/me/programs | Program ID for following steps | None |
/programs/{programId} | Program handle for following steps and asset enrichment | None |
/programs/{programId}/structured_scopes | Assets (website) | None |
/reports?filter[program][]={programHandle} | Vulnerabilities and asset-vulnerability connections | None |
Data Validation
How do I validate and compare the data between HackerOne and the Vulcan Platform?
Assets validation
Vulcan ingests and maps only Hackerone’s Domains into Websites on the Vulcan Platform.
Go to Hackerone console, for each program, select the program on the top banner and click on the program name.
Scroll down to see the Program’s assets list in the Scopes table.
In the Vulcan Platform, go to Assets > Websites.
Filter the assets by Connector - HackerOne.
The number of assets should match the count of the domains from all of the hackerone’s programs. The example below presents the results of only one program.
Unique vulnerabilities validation
In most cases, the count of open reports in Hackerone should match the unique vulnerabilities count on the Vulcan Platform.
Reports with N/A state are mapped to Ignored on Vulcan.
Vulnerability instances validation
Go to Hackerone console
Click on Inbox to see the program’s reports.
Filter to see only open states.
Click on a specific report to see the related asset. In the example below, we clicked on the "Test by Roni" asset.
On the Vulcan Platform, click on a specific asset to see the attached vulnerabilities. Example:
