Skip to content
AutoTriageBot automatically verifies, deduplicates, and suggests payouts for incoming HackerOne reports.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Automatically verify, deduplicate, and suggest payouts for vulnerability reports through HackerOne.

Currently, this bot can automatically verify reports about XSS, SQLi, and Open Redirect vulnerabilities (via both GET and POST). In addition, it is built in a modular manner so that it can be easily expanded to add tests for other classes of vulnerabilities.


AutoTriageBot is effectively SSRF (Server Side Request Forgery) as a Service. In order to securely run AutoTriageBot, it must be run in an isolated environment. It is highly recommended to set up a blacklist blocking AutoTriageBot from reaching any potentially dangerous IP addresses. See for three suggested firewall configurations.


Follow the directions in docs/ to configure AutoTriageBot. Then run to start the swarm and run the bot (it will prompt you for API keys). Note that the HackerOne API key needs to be a member of the "Standard" group.


To rebuild the bot, run ./ To start and stop the bot, run ./ and ./ respectively.


To run tests, run with the appropriate flag:

usage: [-h] [--fast] [--integration] [--all] [--norestart]

Run tests

optional arguments:
  -h, --help     show this help message and exit
  --fast         Run the fast tests
  --integration  Run the integration tests
  --all          Run all of the tests
  --norestart    Don't restart docker
  --slow         Run the slow tests

Docs & Examples:

See the docs/ folder for further documentation on usage, development, and architecture.

See the docs/ExampleReports/ folder for a number of example interactions between the bot and a reporter.


Copyright 2017, developed by David Dworken as an internship project. Pull requests welcome!

You can’t perform that action at this time.