Skip to main content
Asset Details and Scoping

Organizations: Learn how to add assets to your inventory

Updated this week

Asset Details

Opening the menu for an asset gives you options to view the asset overview, add scope, remove from scope, archive, or add a tag. You can also add tags and add or remove from the scope in the bulk actions menu.

The asset overview will provide detailed information that you can edit from within the menu.

Scope

Open Scope

Most HackerOne programs specify eligible assets for finding vulnerabilities, each defined by a URL with its own set of rules. Some programs with an extensive Attack Surface may miss assets, such as newly added ones or production endpoints. An Open Scope program respects and pays for vulnerabilities found on any asset it confirms as owned by the organization, even if it is not listed. This ensures hackers’ efforts are never wasted.

Defined Scope

You can add to scope, remove from scope, or add as out of scope by clicking on the kabob menu to the right of any asset.

To add as in scope or out of scope:

  1. Click the kabob menu next to the asset

  2. Click Add to scope

  3. Select the program

  4. Define the scope

  5. Set bounty eligibility

  6. Check or uncheck the box Notify subscribers of changes to the scope

  7. Click Add scope

The Scope tab in the program’s Security page allows hackers to see:

  1. Which assets are in-scope or out-of-scope

  2. Which assets are eligible for bounty

  3. The asset’s maximum severity

Adding Assets

You can add assets to your organization from the Asset Inventory page by clicking Add assets under the search & filter box. You can choose to import a CSV or add a single asset.

Note: You can also add assets via the API.

Adding a Single Asset

If you choose to add a single asset, a pop-up menu will appear prompting you to enter all the asset’s details.

After the asset is added, it will appear in the list alongside all other assets.

Adding Multiple Assets

The quickest way to add multiple assets to the Asset Inventory is to utilize the "Import from CSV" option. This will open a modal where you can upload a file and start your import. For convenience, an example file is also provided here to download.

Important: use a semicolon (;) as a field separator in your file.

Asset Types

Use the following table to determine what fields to include in your CSV. Asset type names are case-sensitive.

Platform asset type

Description

Case-sensitive name for importing

AI Model

AI integration endpoint or direct model link

AiModel

Android: .apk

File path for an Android APK file

AndroidApk

Android: Play Store

Identifier for an Android app in the Google Play Store

AndroidPlayStore

CIDR

A single CIDR range (e.g., 192.168.0.0/24)

Cidr

Domain

Domain name

Domain

Executable

File path for an executable file

Executable

Hardware/IoT

A physical hardware device name

Hardware

iOS: .ipa

File path for an iOS IPA file

IosIpa

iOS: App Store

Identifier for an iOS app in the App Store

IosAppStore

iOS: Testflight

Identifier for an iOS app in TestFlight

IosTestflight

IP Address

A specific IP address

IpAddress

Other

Asset that does not fit other definitions

OtherAsset

Smart contract

Link or address for a web3 smart contract

SmartContract

Source code

Link to a source code repository

SourceCode

URL

A specific URL or directory path

Url

Wildcard

A domain pattern with wildcard characters

Wildcard

Windows: Microsoft Store

Identifier for an app in the Windows Microsoft Store

WindowsMicrosoftStore

Once you have uploaded the file, an import summary will display. The import summary covers successful asset additions, successful asset updates, and failed asset imports.

Did this answer your question?