Platforms (Unified BB Manager)

The Platforms view is the unified bug bounty platform manager. Configure once, sync across all four supported platforms, then access programs, scope, and reports from one screen — without picking which platform every time.

Supported platforms:

• HackerOne — h1
• Bugcrowd — bugcrowd
• YesWeHack — ywh
• Intigriti — intigriti

Pro license required.

🔗Why Platforms (vs Per-Platform Views)?

Per-platform views (HackerOne / YesWeHugin) give you the deep, platform-specific UX — bounty calculators, hall-of-fame, hacktivity. The Platforms view is the cross-cutting view: search across platforms, compare bounty ranges for the same target, see which platform has the most active scope.

Both surfaces share data — programs synced via the Platforms view appear in the per-platform views automatically.

🔗Setup

For each platform you want to use:

1. Generate API credentials on the platform
2. Settings → Integrations → Platforms → [platform name]
3. Enter API key + (for some) username
4. Test connection — verifies the credentials work

Or via the Platforms view → + Add Platform → pick platform → enter creds.

Credentials are encrypted at rest using the OS keyring (or derived key fallback).

🔗Sync Programs

The Sync action fetches all programs you have access to across all configured platforms. Hugin builds a unified table:

• Platform (icon)
• Program handle
• Company name
• Bounty range (normalised across platforms)
• Asset count
• Status
• Last activity
• Tags

Filter by platform, bounty min/max, asset type, status. Sort by bounty, asset count, last activity.

Sync runs on demand (manual button) or on a schedule (Settings → Integrations → Auto-Sync). Default: daily.

🔗Compare Across Platforms

Some companies run bug bounty programs on multiple platforms. Search by company name to see all listings — useful for picking which platform to submit to (often higher bounties on one vs another).

🔗Per-Program Detail

Click any program for the platform-specific detail panel — same as the per-platform views (HackerOne / YesWeHugin). Scope import, bounty table, hacktivity, submit-report flow.

🔗Submit-To-Best Workflow

For findings that affect a target with multiple platforms:

1. Findings → right-click → Promote to Report
2. Hugin asks: “This target has programs on H1, Bugcrowd, YesWeHack — which?”
3. Pick the best (highest bounty or strongest relationship) and submit there
4. Optionally clone the draft to other platforms and submit later (some programs allow simultaneous; check the platform’s policy)

🔗Cross-Platform Reports Inbox

The My Reports tab combines all reports across all platforms in one inbox:

• Status filters work across platforms
• Notifications when any report state changes
• Reply / add evidence inline, regardless of source platform

Useful when working multiple programs simultaneously.

🔗Bulk Scope Import

Multi-select programs → Import All Scope to add scope from all selected programs to a single Hugin project. The project’s scope rules become “match any of these programs’ assets”. Useful for shared engagements (e.g., “all my active programs” project).

Alternatively, Create Project per Program creates one Hugin project per selected program with the right scope pre-filled.

🔗MCP

The platforms MCP tool exposes:

• list — list configured platforms with status
• get — one platform’s config
• set — add or update credentials (api_key + optional username/base_url)
• remove — remove a platform
• test — verify API connectivity
• sync_programs — fetch programs from one or all platforms
• get_program — program details + scope (works across platforms)

For platform-specific actions (submit reports, etc.), use the per-platform tools (hackerone, yeswehack).

🔗API Rate Limits

Each platform has its own rate limits. Hugin tracks limits per platform and self-throttles to avoid hitting them. Status visible in the Platforms view header.

If you frequently hit limits (heavy sync workloads), upgrade your API tier on the platform — Hugin doesn’t currently support multi-key rotation per platform.

🔗Privacy

API credentials never leave your machine. Sync calls go directly platform → Hugin; HuginSecurity servers are not in the loop.

Captured program data (scope, bounty info, public hacktivity) is stored locally in ~/.hugin/platforms/. Includes only public information per platform’s API; private invitation details are kept encrypted at rest.