Help Center

Awarding a bounty for a report received outside of HackerOne

The HackerOne API can be leveraged to award hackers for their efforts that submitted vulnerabilities to your organization outside of HackerOne. To start paying hackers, generate an API token on your Program settings page. This option is only available in HackerOne Professional, HackerOne Enterprise, and HackerOne Community Edition. This API endpoint is not for awarding bounties for reports on HackerOne itself, only for reports that were reported outside of HackerOne.

Click the Create API Token button to start creating a token. It'll ask you to enter a unique identifier for the token. Once the identifier has been entered, the API token will be generated and presented to you. This is the only time the API token is shown to you! After that, make sure that you grant Reward Management permissions to the API token. You can do this by clicking "Manage groups" next to the API identifier. By default, the Standard group has Reward Management permission. If you've created separate groups, please select the groups that apply.

Next up is making sure you have funds in your account. There are two ways to do this: enter your Credit Card information on the Billing page or prepay by invoice. The former is completely self-service and can be found under your General settings page. The latter can be initiated by sending an email to your HackerOne account manager.

Now that there's a way to pay for the bounties, you're close to actually awarding a bounty! The documentation how to award a bounty can be found on this page. Below is a code example in Ruby and cURL that help you get going. The program ID used in the examples below, 1337, is fictive and should be replaced with your own program ID. You can find your program ID in report objects or by asking your HackerOne account manager.

cURL

curl "https://api.hackerone.com/v1/programs/1337/bounties" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
  {
    "data": {
      "type": "bounty",
      "attributes": {
        "amount": 100,
        "reference": "JIRA1239",
        "title": "Reflected XSS on marketing.example.com",
        "recipient": "hacker@hackerone.com"
      }
    }
  }
EOD

 Ruby

require 'httparty'

basic_auth = {
username: 'api_example_company',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
}

data = {
data: {
type: 'bounty',
    attributes: {
      amount: 100,
      reference: 'JIRA1239',
      title: 'Reflected XSS on marketing.example.com',
      recipient: 'hacker@hackerone.com',
currency: 'USD',
    }
}
}

HTTParty.post 'https://api.hackerone.com/v1/programs/1337/bounties',
body: data,
content_type: 'application/json',
basic_auth: basic_auth

After the bounty has been awarded, the user will receive an email to claim the bounty. HackerOne will collect the person's tax form before processing the payout. The awarded amount, including your applicable fees, will be deducted from your balance immediately. A resolved dummy report will show up in your Bugs overview, which helps you keep track of the bounties you've paid out.

For technical questions or help with your implementation, please reach out to support@hackerone.com or your HackerOne account manager. 

Have more questions? Submit a request
Powered by Zendesk