Asset Details
Opening the menu for an asset gives you options to view the asset overview, add scope, remove from scope, archive, or add a tag. You can also add tags and add or remove from scope in the bulk actions menu.
The asset overview will provide detailed information which you can edit from within the menu.
Scope
Open Scope
Most HackerOne programs specify eligible assets for finding vulnerabilities, each defined by a URL with its own set of rules. Some programs with an extensive Attack Surface may miss assets, such as newly added ones or production endpoints. An Open Scope program commits to respecting and paying for vulnerabilities found on any asset confirmed as owned by the organization, even if it is not listed, ensuring hackers’ efforts are never wasted.
Defined Scope
You can add to scope, remove from scope, or add as out of scope by clicking on the kabob menu to the right of any asset.
To add as in scope or out of scope:
Click the kabob menu next to the asset
Click Add to scope
Select the program
Define the scope
Set bounty eligibility
Check or uncheck the box Notify subscribers of changes to the scope
Click Add scope
The Scope tab in the program’s Security page allows hackers to see:
Which assets are in-scope or out-of-scope
Which assets are eligible for bounty
The asset’s maximum severity
Adding Assets
You can add assets to your organization from the Asset Inventory page by clicking Add assets under the search & filter box. You can choose to import a CSV or add a single asset.
Note: Assets can also be added via the API.
Adding a Single Asset
If you choose to add a single asset, a pop-up menu will appear prompting you to enter all the asset’s details.
After the asset is added, it will appear in the list alongside all other assets.
Adding Multiple Assets
The quickest way to add multiple assets to the Asset Inventory is to utilize the "Import from CSV" option. This will open a modal where you can upload a file and start your import. For convenience, there is also an example file provided here to download.
Important: use a semicolon (;) as a field separator in your file.
Asset Types
Use the following table to determine what fields to include in your CSV. Asset type names are case-sensitive.
Platform asset type | Description | Case-sensitive name for importing |
AI Model | AI integration endpoint or direct model link | AiModel |
Android: .apk | File path for an Android APK file | AndroidApk |
Android: Play Store | Identifier for an Android app in the Google Play Store | AndroidPlayStore |
CIDR | A single CIDR range (e.g., 192.168.0.0/24) | Cidr |
Domain | Domain name | Domain |
Executable | File path for an executable file | Executable |
Hardware/IoT | A physical hardware device name | Hardware |
iOS: .ipa | File path for an iOS IPA file | IosIpa |
iOS: App Store | Identifier for an iOS app in the App Store | IosAppStore |
iOS: Testflight | Identifier for an iOS app in TestFlight | IosTestflight |
IP Address | A specific IP address | IpAddress |
Other | Asset that does not fit other definitions | OtherAsset |
Smart contract | Link or address for a web3 smart contract | SmartContract |
Source code | Link to a source code repository | SourceCode |
URL | A specific URL or directory path | Url |
Wildcard | A domain pattern with wildcard characters | Wildcard |
Windows: Microsoft Store | Identifier for an app in the Windows Microsoft Store | WindowsMicrosoftStore |
Once you have uploaded the file, an Import Summary will display. The Import Summary covers successful asset additions, successful asset updates, and failed asset imports.