Asset Details and Scoping

Organizations: Learn how to add assets to your inventory

Updated over a week ago

Asset Details

Opening the menu for an asset gives you options to view the asset overview, add scope, remove from scope, archive, or add a tag. You can also add tags and add or remove from scope in the bulk actions menu.

The asset overview will provide detailed information which you can edit from within the menu.


Open Scope

Most HackerOne programs specify eligible assets for finding vulnerabilities, each defined by a URL with its own set of rules. Some programs with an extensive Attack Surface may miss assets, such as newly added ones or production endpoints. An Open Scope program commits to respecting and paying for vulnerabilities found on any asset confirmed as owned by the organization, even if it is not listed, ensuring hackers’ efforts are never wasted.

Defined Scope

You can add to scope, remove from scope, or add as out of scope by clicking on the kabob menu to the right of any asset.

To add as in scope or out of scope:

  1. Click the kabob menu next to the asset

  2. Click Add to scope

  3. Select the program

  4. Define the scope

  5. Set bounty eligibility

  6. Check or uncheck the box Notify subscribers of changes to the scope

  7. Click Add scope

The Scope tab in the program’s Security page allows hackers to see:

  1. Which assets are in-scope or out-of-scope

  2. Which assets are eligible for bounty

  3. The asset’s maximum severity

Adding Assets

You can add assets to your organization from the Asset Inventory page by clicking Add assets under the search & filter box. You can choose to import a CSV or add a single asset.

Note: Assets can also be added via the API.

Adding a Single Asset

If you choose to add a single asset, a pop-up menu will appear prompting you to enter all the asset’s details.

After the asset is added, it will appear in the list alongside all other assets.

Adding Multiple Assets

The quickest way to add multiple assets to the Asset Inventory is to utilize the "Import from CSV" option. This will open a modal where you can upload a file and start your import. For convenience, there is also an example file provided here to download.

Important: use a semicolon (;) as a field separator in your file.

Asset Types

Use the following table to determine what fields to include in your CSV. Asset type names are case-sensitive.

Platform asset type


Case-sensitive name for importing

AI Model

AI integration endpoint or direct model link


Android: .apk

File path for an Android APK file


Android: Play Store

Identifier for an Android app in the Google Play Store



A single CIDR range (e.g.,



Domain name



File path for an executable file



A physical hardware device name


iOS: .ipa

File path for an iOS IPA file


iOS: App Store

Identifier for an iOS app in the App Store


iOS: Testflight

Identifier for an iOS app in TestFlight


IP Address

A specific IP address



Asset that does not fit other definitions


Smart contract

Link or address for a web3 smart contract


Source code

Link to a source code repository



A specific URL or directory path



A domain pattern with wildcard characters


Windows: Microsoft Store

Identifier for an app in the Windows Microsoft Store


Once you have uploaded the file, an Import Summary will display. The Import Summary covers successful asset additions, successful asset updates, and failed asset imports.

Did this answer your question?