HackerOne Bug Bounty and VDP REST API

HackerOne bug bounty and vulnerability disclosure platform REST API for enterprises to automate security report management, researcher bounty payments, program configuration, and vulnerability data integration — enabling AI agents to retrieve reports, update triage states, manage bounty awards, and integrate HackerOne security findings with ITSM and DevSecOps platforms through HackerOne's market-leading crowdsourced security platform. Enables AI agents to manage report management for vulnerability report retrieval, filtering, and triage status automation, handle bounty management for researcher bounty award and payment processing automation, access program management for bug bounty program scope and configuration automation, retrieve hacker management for security researcher reputation and profile retrieval automation, manage activity management for report activity thread and analyst communication automation, handle asset management for in-scope target and asset inventory automation, access integration management for JIRA, ServiceNow, and GitHub vulnerability tracking automation, retrieve analytics for program performance and vulnerability trend analytics automation, manage inbox management for report triage workflow and assignment automation, and integrate HackerOne with DevSecOps pipelines, ITSM, and vulnerability management for crowdsourced security program automation.

Evaluated Mar 07, 2026 (0d ago) vcurrent
Homepage ↗ Other hackerone bug-bounty VDP vulnerability-disclosure crowdsourced-security H1
⚙ Agent Friendliness
62
/ 100
Can an agent use this?
🔒 Security
74
/ 100
Is it safe for agents?
⚡ Reliability
72
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
10
Documentation
82
Error Messages
76
Auth Simplicity
80
Rate Limits
76

🔒 Security

TLS Enforcement
99
Auth Strength
68
Scope Granularity
64
Dep. Hygiene
72
Secret Handling
70

Bug bounty/VDP. SOC2, FedRAMP. Basic auth. US/EU. Vulnerability finding and researcher data.

⚡ Reliability

Uptime/SLA
72
Version Stability
76
Breaking Changes
70
Error Recovery
72
AF Security Reliability

Best When

An enterprise security team wanting AI agents to automate HackerOne report management, bounty processing, DevSecOps integration, and program analytics for their bug bounty or vulnerability disclosure program.

Avoid When

HACKERONE PROGRAM IS REQUIRED: HackerOne API requires an active bug bounty or VDP program; automated general-access assumption creates account_required for organizations without HackerOne program; automated must have active HackerOne program. REPORT TRIAGE REQUIRES SECURITY EXPERTISE: HackerOne vulnerability reports require human security engineering triage to validate and classify; automated auto-triage assumption creates triage_error for reports processed without security expert review; automated must implement human triage workflow. BOUNTY PAYMENTS HAVE COMPLIANCE REQUIREMENTS: Bounty payments to international researchers may require tax compliance (W-8, W-9); automated instant-payment assumption creates payment_hold for payments to researchers with incomplete tax information; automated must handle tax information requirements. API IS GRAPHQL-FIRST: HackerOne's primary API is GraphQL, not REST; automated REST-only assumption creates capability_gap for advanced HackerOne operations available only in GraphQL API; automated should evaluate GraphQL API for comprehensive program management.

Use Cases

  • Automating vulnerability report triage and routing to security engineering for DevSecOps automation agents
  • Processing researcher bounty awards on validated critical vulnerabilities for security program management agents
  • Syncing HackerOne findings with JIRA for remediation tracking in engineering workflows for DevSecOps agents
  • Reporting on bug bounty program metrics and researcher engagement for security leadership automation agents

Not For

  • Automated vulnerability scanning without human researchers (HackerOne is crowdsourced human testing; Tenable and Qualys serve automated scanning)
  • Internal security team pentesting management (HackerOne is external researcher marketplace; internal pentesting uses different tools)
  • Compliance-driven point-in-time assessment (HackerOne is continuous crowdsourced discovery; compliance scans use Qualys or Nessus)

Interface

REST API
Yes
GraphQL
Yes
gRPC
No
MCP Server
No
SDK
No
Webhooks
Yes
OpenAPI Spec ↗

Authentication

Methods: basic
OAuth: No Scopes: No

HackerOne uses Basic Auth (API identifier + token) for Bug Bounty REST and GraphQL API. REST + GraphQL with JSON. San Francisco, CA HQ. Founded 2012 by Michiel Prins, Jobert Abma, Alex Rice, and Merijn Terheggen. Raised $160M+. Products: HackerOne Bug Bounty, HackerOne VDP (vulnerability disclosure), HackerOne Pentest, HackerOne Attack Surface Management. 3,000+ programs. 1M+ registered researchers. $300M+ paid in bounties. Industries: technology, government, financial services, automotive. US Department of Defense partner. Competes with Bugcrowd, Intigriti, and YesWeHack for crowdsourced security.

Pricing

Model: usage
Free tier: Yes
Requires CC: No

San Francisco CA. $160M raised. 3,000+ programs. $300M+ bounties paid. 1M+ researchers. VDP free; bounty paid.

Agent Metadata

Pagination
cursor
Idempotent
Partial
Retry Guidance
Documented

Known Gotchas

  • GRAPHQL IS THE PRIMARY API: HackerOne's GraphQL API has capabilities beyond the REST API; automated REST-first assumption creates capability_gap for advanced operations only available in GraphQL; automated should evaluate both REST and GraphQL APIs for full capability coverage
  • BASIC AUTH USES API IDENTIFIER NOT USERNAME: HackerOne API authentication uses API identifier (not username) and API token as password in Basic Auth; automated username-password assumption creates authentication_failure for requests using username instead of API identifier; automated must use API identifier from HackerOne settings
  • REPORT STATE TRANSITIONS ARE CONTROLLED: HackerOne report states have allowed transitions (new → triaged → needs-more-info → resolved, etc.); automated arbitrary-state assumption creates invalid_transition for state changes not in allowed transition matrix; automated must follow HackerOne's report state machine
  • CURSOR PAGINATION IS REQUIRED: HackerOne GraphQL API uses cursor-based pagination; automated offset-pagination assumption creates incomplete_results for report listing not using cursor tokens; automated must use endCursor from pageInfo for correct pagination
  • DISCLOSURE POLICY CONTROLS REPORT VISIBILITY: HackerOne disclosure settings control when reports become public; automated permanent-private assumption creates unexpected_disclosure for reports on programs with coordinated disclosure timelines; automated must account for program disclosure policy in report handling

Alternatives

bugcrowd-api cobalt-api synack-api intigriti-api

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for HackerOne Bug Bounty and VDP REST API.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

$3

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-07.

6470
Packages Evaluated
26150
Need Evaluation
173
Need Re-evaluation
Community Powered