Skip to main content
Email Forwarding

Organizations: Set up emails to be forwarded to your HackerOne inbox

Updated over a week ago

You can set up emails to be forwarded to your HackerOne inbox to enable report management directly through HackerOne. Hackers who discover these specific email addresses will be able to submit reports directly to your program. Upon sending reports through email, they'll also automatically get invited to your program.

Note: This feature isn't available until your program is launched and not in sandbox mode.

How Does it Work?

When a hacker discovers a vulnerability and sends their finding in an email to security@example.org:

  1. Their emails are forwarded to HackerOne's inbox and saved as report drafts.

  2. The hacker will receive an auto-response email notifying them that your program uses the HackerOne platform to coordinate vulnerabilities. They can click the Submit Vulnerability Report link.

  3. The link will prompt the hacker to create a HackerOne account if they don't already have one, or to log in to their existing account.

  4. After the hacker signs in to the account, the Submit Vulnerability Report button will be available for them to click. Upon clicking this button, the hacker is automatically invited into your program. The button will take them to the report submissions page, where they can claim the report draft and submit a valid HackerOne report to your program.

  5. You will then be notified of a new vulnerability submitted by the hacker in your inbox where you can use the platform tools to comment, triage, and pay bounties.

Setup

To set up email forwarding in HackerOne:

  1. Go to Settings > Program > Hacker Management > Email Forwarding.

  2. Click on Add email address.

  3. Enter the email address the vulnerability reports should be sent to. A common example is security@example.org.

    enter forwarding address

  4. The inbox address to which your email will be configured will automatically generate. Upon configuration, emails sent to security@example.org will be forwarded to the given inbox address. Click Run test to ensure that forwarding is set up correctly.

Note: Please make sure you've configured email forwarding for your email provider. Don't know how to set up email forwarding for your email provider?

Check out these resources:

Some providers (e.g., Google) require you to verify the forwarding address via a confirmation email. You can find this email by clicking Incoming Emails.

instructions with success message

Test in progress

new email added

Note: You can add multiple email addresses to forward to the same inbox.

multiple emails added

Setup Issues

If you're running into problems setting up email forwarding using the steps above, it could be because several security checks that are inherent to the email protocol could be violated and are preventing the email from being successfully processed by HackerOne.

Here are some common problems and solutions users run into when setting up email forwarding:

Issue

Solution

You're using Gmail as an email provider and can't find the required confirmation email.

To set up email forwarding for Gmail, you need to click the verification link sent to the email address you want to forward emails to. You can access this email by clicking the "View Incoming Emails" button (Settings > Program > Hacker Management > Email Forwarding > View Incoming Emails).

You manually created a forwarding rule instead of following these setup instructions. When you manually create your own forwarding rule, you create a new email object that doesn't contain the H1-Forwarding-Nonce header that HackerOne requires to verify the setup.

Please follow the setup instructions above and the instructions for your email provider's forwarding functionality.

The To field is incorrect. This causes SPF and DKIM checks to fail, which means HackerOne won't receive the forwarded email.

Make sure the To field matches the one you entered in step 3 above, and follow the instructions for your email provider's forwarding functionality.

Here's an example of what your email headers should look like when email forwarding is set up correctly:

Header

Value

To

From

Return-Path

Delivered-To

Received-SPF

pass(*)

DKIM-Signature

v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=hsbnp7p3ensaochzwyq5wwmceodymuwv;d=server.com; t=12738181; h=Date:From:To:Message-1 D:Subject:Mime-Version:Content-Type:Content-Transfer-Encoding:Feedback-ID; bh=2jh40/jnKOZNNY68AJSDID8IUovd714123JJzgOVWqFX4Q=; b=JASIOSD+89jYRJsmqDIEA621Xkz1cpHba6xikYasjid8JJoc KAidKMZ/O1VV/+LBI19tGajKAID882Lx8/CSAXMMiKlamK+ac+rOfqQKDIA88INOL /FBpVYM4nLOLLIPOPwxNrlvPWoouHw9kdDq171/dUs YO7E=

X-Forwarded-To

X-Forwarded-For

H1-Forwarding-Nonce

2a032918391e46cf7687e62ec42423ea3

Did this answer your question?