An unofficial wrapper for the HackerOne API
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin Initial commit Feb 15, 2017
fixtures/vcr_cassettes nope Jun 7, 2018
lib/hackerone bump to 0.13.0 to address #39 Oct 19, 2018
spec Fixed testcase Oct 19, 2018
.gitignore don't set a .ruby-version for now Feb 18, 2017
.rspec Initial commit Feb 15, 2017
.travis.yml drop 2.4 for now Mar 24, 2017 bump to 0.13.0 to address #39 Oct 19, 2018 Initial commit Feb 15, 2017 Create Apr 21, 2017
Gemfile drop 2.4 for now Mar 24, 2017
Guardfile Initial commit Feb 15, 2017
LICENSE.txt Initial commit Feb 15, 2017 bump to 0.11.0 Nov 3, 2017
Rakefile Initial commit Feb 15, 2017
hackerone-client.gemspec bump to 0.9.1 Oct 24, 2017


A limited client library for interacting with HackerOne. Currently only supports a few operations:

client ="github")

# GET '/reports' returns all reports in the "new" state for a given program

# GET '/report/{id}' returns report data for a given report
report =

# PUT '/reports/{id}/assignee'

# POST '/reports/#{id}/activities'
report.add_comment(message, internal: false) # internal is true by default

# POST '/report/{id}/state_change change the state of a report
# `state` can be one of  new, triaged, needs-more-info, resolved, not-applicable, informative, duplicate, spam
# when marking as duplicate, you can supply the original report ID
report.state_change(:duplicate, "Your issue has been marked as X", original_report_id: 12345)

# POST '/report/{id}/add_report_reference add a "reference" e.g. internal issue number

# Triage an issue (add a reference and set state to :triaged)

# POST /reports/{id}/bounty_suggestions
report.suggest_bounty(message: "I suggest $500 with a small bonus. Report is well-written.", amount: 500, bonus_amount: 50)

# POST /reports/{id}/bounties
report.award_bounty(message: "Here's your bounty!", amount: 500, bonus_amount: 50)

# POST /reports/{id}/swags
report.award_swag(message: "Here's your T-Shirt")

# GET `/{program}/reporters` returns a list of unique reporters that have reported to your program

program = HackerOne::Client::Program.find("insert-program-name-here")

# returns all common responses

State change hooks

You can add hooks that will be called for every state change. This can be useful e.g. for ensuring that reports always get assigned or calling out to external services for specific state changes.

# Initialization

HackerOne::Client::Report.add_state_change_hook ->(report, old_state, new_state) do
  # ...


Credential management

You'll need to generate an API token at<program>/api.

  • Click "Create API token"
  • Name the token
  • Click "Create"
  • Copy down the value

Set the HACKERONE_TOKEN and HACKERONE_TOKEN_NAME environment variables.

Program name

In order to retrieve all reports for a given program, you need to supply a default program:

HackerOne::Client.program = "github"

Risk classification

Configure the low/med/high/crit ranges for easier classification based on payouts:

HackerOne::Client.low_range = 1..999
HackerOne::Client.medium_range = 1000...2500
HackerOne::Client.high_range = 2500...5000
HackerOne::Client.critical_range = 5000...100_000_000


Bug reports and pull requests are welcome on GitHub at This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.


The gem is available as open source under the terms of the MIT License.