HackerOne

The HackerOne integration mirrors the YesWeHugin experience for HackerOne’s platform. Browse public and invited programs, import scope directly into Hugin, draft and submit reports — all without leaving the application.

Pro license required (multi-platform integrations are a Pro feature).

🔗Setup

Generate an API token from your HackerOne account:

  1. https://hackerone.com/users/edit/api_tokens
  2. Create a new token; note the username + token string
  3. In Hugin: Settings → Integrations → Platforms → HackerOne → enter username + token
  4. Test to verify

The token authorises Hugin’s API calls — same permissions as your account.

🔗Browsing Programs

The HackerOne view shows all programs you can access:

  • Public programs — public bug bounty programs
  • Private invitations — programs you’re personally invited to
  • VDP — vulnerability disclosure programs (no bounty)

Each card displays: program handle, company name, bounty range, asset count, status (open / pending / paused), tags (e.g., mobile, iot, crypto).

Filter / search by name, asset type (web / mobile / API / IoT / crypto), bounty min/max, region.

🔗Program Detail

Click any program for the full detail panel:

🔗Description

Markdown-rendered program description, including scope rules, qualifying vulnerabilities, hunting guidelines.

🔗Scope

Per-asset table:

  • Asset URL / identifier
  • Asset type
  • Bounty eligibility
  • Special instructions

Import Scope button on any asset adds it to Hugin’s active project scope. Bulk import via multi-select.

🔗Bounty Table

Per-severity bounty ranges (Critical / High / Medium / Low). Useful for prioritising effort.

🔗Hacktivity

Public reports filed against this program: title, severity, bounty, date. Useful for understanding what’s been found before — don’t duplicate.

🔗Hall of Fame

Top researchers ranked by reputation, signal, and bounties earned.

🔗Submitting Reports

Click + New Report on any program:

  • Title — short vulnerability description
  • Vulnerability information — Markdown editor with HackerOne’s template (Description, Steps to Reproduce, Impact, Suggested Fix)
  • Asset — pick the affected scope asset
  • Severity — Critical / High / Medium / Low / None
  • CVSS calculator — built-in CVSS 3.1 base score from metric dropdowns; vector string updates live
  • Weakness — pick from CWE-mapped weakness types (300+ choices, searchable)
  • Source code references — line/file references if relevant
  • Attachments — upload PoC files, screenshots, HAR captures (max 25 MB per file)

🔗Pre-Submission Validations

Hugin checks the report against HackerOne’s submission requirements:

  • Title length
  • Description minimum length
  • Required fields per program
  • Attachment size limits

Warnings surface inline; submit is gated until they’re addressed.

🔗Draft Management

Reports save as drafts in ~/.hugin/hackerone/drafts/. Drafts persist across sessions and can be edited before submission. Multi-step composition: capture flows during testing, attach to draft, refine, submit when ready.

🔗After Submission

Submitted reports appear in the My Reports tab:

  • Status (New / Triaged / Needs more info / Resolved / Duplicate / N/A)
  • Bounty awarded (if any)
  • Last update timestamp
  • Comment thread

Click any report for the full view, comment thread, and ability to reply / add new evidence inline.

🔗Integration Workflow

  1. Browse programs in HackerOne, find a target
  2. Import scope with one click → Hugin’s proxy now captures only relevant traffic
  3. Test using proxy + scanner + intruder + other tools
  4. Document findings in the Findings tab
  5. Promote to Report — right-click a finding → Promote to HackerOne. Pre-fills title, description, evidence flows, suggested CVSS.
  6. Submit directly from Hugin

No browser-tab juggling between Hugin and HackerOne.

🔗MCP

The hackerone MCP tool exposes:

Authentication:

  • auth_status, auth_set

Programs:

  • programs — list available programs
  • program_detail — full program info
  • scopes — scope items for a program
  • hacktivity — public report stream for a program
  • weaknesses — supported weakness types

Reports:

  • report_list, my_reports, report_get, report_create, report_update, report_delete
  • report_attach — attach a file to a report

Drafts:

  • draft_intent_create, draft_intent_upload

Payments:

  • payments_balance, payments_earnings

Cross-tool helpers:

  • scope_to_scan — convert a program’s scope into scanner targets

LLM agents can drive end-to-end: capture flow → confirm bug → draft report → submit.

🔗See Also

  • Platforms — unified manager for HackerOne / Bugcrowd / YesWeHack / Intigriti
  • YesWeHugin — sister integration for YesWeHack