HackerOne Connector

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Product Offering.

HackerOne is a vulnerability coordinator and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers.

The HackerOne platform allows organizations to set their scope, track bug reports, and manage payouts from one location. When integrated with the Tenable Exposure Management, you can review Website vulnerabilities on your assets, while leveraging the power of Tenable Exposure Management discoverability and automation. In this article, you will find how to connect, locate, and automate HackerOne with Tenable Exposure Management.

Tip: For more information on how third-party integrations work, see Connectors.

Connector Details

Details	Description
Supported products	HackerOne
Category	Bug Bounty
Ingested data	Assets and Findings
Ingested Asset Classes	Web Application
Integration type	UNI directional (data is transferred from the Connector to Tenable Exposure Management in one direction)
Supported version and type	SaaS (latest)

Prerequisites and User Permissions

Before you begin configuring the connector, make sure to:

Generate HackerOne API Identifier and Token:
Note: Because this is a read-only user, when you create the API identifier, there is no need to assign the identifier or token to a group.
1. In HackerOne, navigate to Organization Settings > API Tokens.
2. Click Create API Token.
3. Enter an identifier for the new API token. Copy the identifier somewhere safe.
4. Click Add API token.
5. Store the generated API token.
6. Click I have stored the API Token.
  
  TIP: For more information, see HackerOne documentation on API Tokens.

Add a Connector

To add a new connector:

In the left navigation menu, click Connectors.

The Connectors page appears.
In the upper-right corner, click Add new connector.

The Connector Library appears.
In the search box, type the name of the connector.
On the tile for the connector, click Connect.

The connector configuration options appear.

Configure the Connector

To configure the connector:

(Optional) In the Connector's Name text box, type a descriptive name for the connector.
(Optional) To use a preconfigured on-prem connector to connect to this connector, from the Gateway drop-down, select the on-prem connector you want to use for the connector. Otherwise, select Don't use gateway.

Note: For information about configuring a gateway, see Tenable On-Prem Connector.
In the API Identifier and API Key text boxes, paste the API credentials you generated in HackerOne.
In the Data pulling configuration section, you can configure dynamic settings specific to the connector.
- In the Asset Retention text box, type the number of days after which you want assets to be removed from Tenable Exposure Management. If an asset has not been detected or updated within the specified number of days, it is automatically removed from the application, ensuring your asset inventory is current and relevant.
  
  Tip: For more information, see Asset Retention.
In the Test connectivity section, click the Test Connectivity button to verify that Tenable Exposure Management can connect to your connector instance.
- A successful connectivity test confirms that the platform can connect to the connector instance. It does not, however, guarantee that the synchronization process will succeed, as additional syncing or processing issues may arise.
- If the connectivity test fails, an error message with details about the issue appears. Click Show tests for more information about the exact error.
In the Connector scheduling section, configure the time and day(s) on which you want connector syncs to occur.

Tip: For more information, see Connector Scheduling.
Click Create. Tenable Exposure Management begins syncing the connector. The sync can take some time to complete.
To confirm the sync is complete, do the following:
- Navigate to the Connectors page and monitor the connector's status. Sync is complete once the connector status is Connected.
- View the sync logs for the connector to monitor the logs for a successful connection.

HackerOne in Tenable Exposure Management

Locate Connector Assets in Tenable Exposure Management

As the connector discovers assets, Tenable Exposure Management ingests those devices for reporting.

To view assets by connector:

In Tenable Exposure Management, navigate to the Assets page.
In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view assets.

The asset list updates to show only assets from the selected connector.
Click on any asset to view Asset Details.

Locate Connector Weaknesses in Tenable Exposure Management

As the connector discovers weaknesses, Tenable Exposure Management ingests those weaknesses for reporting.

To view weaknesses by connector:

In Tenable Exposure Management, navigate to the Weaknesses page.
In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view weaknesses.

The weaknesses list updates to show only weaknesses from the selected connector.
Click on any weakness to view Weakness Details.

Locate Connector Findings in Tenable Exposure Management

As the connector discovers individual findings, Tenable Exposure Management ingests those findings for reporting.

To view findings by connector:

In Tenable Exposure Management, navigate to the Findings page.
In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view findings

The findings list updates to show only assets from the selected connector.
Click on any asset to view Finding Details.

Data Mapping

Exposure Management integrates with the connector via API to retrieve relevant weakness and asset data, which is then mapped into the Exposure Management system. The following tables outline how fields and their values are mapped from the connector to Exposure Management.

Web Application Mapping

Tenable Exposure Management Value	HackerOne Value
Unique Identifier	asset_identifier
Asset - Name	asset_identifier
Asset - First Observation Date	created_at
Asset - Last Observed At	updated_at
Asset - Webapp Homepage Screenshot Url	asset_identifier
Asset - External Tags	handle eligible_for_bounty eligible_for_submission
Asset Custom Attributes	reference max_severity

Finding Mapping

Tenable Exposure Management UI Field	HackerOne Field
Unique Identifier	asset_identifier + report id
Finding Name	title
CVEs	cve_ids
CWEs	external_id
Severity Driver	score or rating
Description	vulnerability_information
First Seen	created_at
Last seen (Observed)	last_activity_at
Finding Custom Attributes	custom_fields report_id report_state asigned_to hackerone_rating weakness_type weakness_type_description reporter_name reporter_username attack_vector attack_complexity privileges_required user_interaction scope confidentiality integrity availability cvss_score eligible_for_bounty eligible_for_submission relationships.structured_scope.data.attributes.asset_identifier

Finding Status Mapping

Tenable Exposure Management Status	HackerOne Status
Active	pre-submission new pending-program-review triaged retesting needs-more-info informative spam duplicate not-applicable
Fixed	Resolved

Tenable Exposure Management Status

HackerOne Status

Active

pre-submission

new

pending-program-review

triaged

retesting

needs-more-info

informative

spam

duplicate

not-applicable

Fixed

Resolved

Note:For HackerOne, Exposure Management uses the state field to determine finding status.

Finding Severity Mapping

Tenable Exposure Management Severity	HackerOneScore
Critical	9-10 Severity: Critical
High	7-8 Severity: High
Medium	4-6 Severity: Medium
Low	1-4 Severity:Low
None	0

Note:For HackerOne, Exposure Management uses the scpre field to determine severity. If score is not available, Exposure Management uses the rating field from the connector, if provided.

Status Update Mechanisms

Every day, Tenable Exposure Management syncs with the vendor's platform to receive updates on existing findings and assets and to retrieve new ones (if any were added).

The table below describes how the status update mechanism works in the connector for findings and assets ingested into Tenable Exposure Management.

Update Type in Exposure Management	Mechanism (When?)
Archiving Assets	Asset that appears in Exposure Management and is not returned on the next connector sync
Change a Finding status from "Active" to "Fixed"	Finding no longer appears in the scan findings [Finding status changes to finding_status.status = Resolved on the vendor side

Note: Updates on the vendor side are reflected in Tenable Exposure Management only when the next scheduled connector sync time is complete (once a day).

Uniqueness Criteria

Tenable Exposure Management uses defined uniqueness criteria to determine whether an ingested asset or finding should be recognized as a distinct record. These criteria help define how assets and findings are identified and counted from each connector.

Tip: Read all about Third-Party Data Deduplication in Tenable Exposure Management

The uniqueness criteria for this connector are as follows:

Data	Uniqueness Criteria
Asset	asset_identifier
Finding	asset_identifier + id
Detection	id

Support Limitations and Expected Behavior

This section outlines any irregularities, expected behaviors, or limitations related to integration of the connector and Exposure Management. It also highlights details about ingested and non-ingested data to clarify data handling and functionality within this integration.

API Endpoints in Use

API version: v1


/me/programs	Program ID for following steps
/programs/{programId}	Program handle for following steps and asset enrichment
/programs/{programId}/structured_scopes	Assets (Web applications)
/reports?filter[program][]={programHandle}	Findings Detections

Data Validation

This section shows how to validate and compare data between Tenable Exposure Management and the HackerOne platform.

Asset Data Validation

Objective: Ensure the number of assets (Domains) in HackerOne aligns with the number of assets (Web Applications) displayed in Tenable Exposure Management.

In HackerOne:

From the top menu bar, select the relevant Program/Company name.
Scroll down to see the Program assets list in the Scopes table.

Important! Only domains are ingested into the Exposure Management platform.

In Tenable Exposure Management:

Locate your connector assets.
Compare the total number of assets between HackerOne and Tenable Exposure Management.

Expected outcome: The total numbers returned in HackerOneand Exposure Management should match.

If an asset is not visible in Exposure Management, check the following conditions:

Archived because it did not return in the connector's next sync.

Tip: To learn more on how assets and findings change status, see Status Update Mechanisms.

Finding Data Validation

Objective: Ensure that the total number of findings between HackerOne and Exposure Management is consistent.

In HackerOne:

Navigate to Inbox and note the program reports.
Filter to see only open states (findings).
Click on a specific report (finding) to see it’s related asset.

In Tenable Exposure Management:

Locate your connector findings.
Compare the total number of findings between HackerOne and Tenable Exposure Management.

Expected outcome: The total numbers returned in HackerOne and Exposure Management should match.

If a finding is missing from Exposure Management or no longer active, check the following conditions:

The finding is marked as Fixed and appears under the Fixed state on the Findings screen.
The finding no longer appears because its related asset was archived.

Tip: To learn more on how assets and findings are archived or change status, see Status Update Mechanisms.