For compliance reasons, the personal IP addresses of hackers are not shared through the Gateway logs. All of the Gateway hacker’s traffic will come from the same IP address(es). Hence, personal IP addresses will not be available in your internal logs, but the allowlisted Gateway IP addresses will.
Prerequisites
Enable traffic log tracking on HackerOne Gateway for your program.
Collect the request details from your internal logs:
Source IP address
URL / IP address
Method
UTC timestamp
Make sure the source IP address matches the allowlisted IP address(es) on your HackerOne Gateway program when making the request.
Identification Methods
You can identify hackers by filtering activities and/or searching in the log files. Here are the differences between these methods:
Log files contain more request details than the Activity page. However, all the requests show up in both places.
Downloaded log files provide more recent data that will include requests made 3-4 minutes earlier, whereas the logs are synced every 20 minutes to the Activity page.
Filter Activities
Navigate to Program Settings > Hacker Engagement > Gateway > Activity
Click the advanced filter button to see the Start and End timestamp fields
Enter timestamps to match the UTC timestamp from your logs. Adjust the timestamp filter as needed.
To further refine the search results, enter the request URL in the search bar
You should see the results matching your query
Log File Search
Navigate to Program Settings > Hacker Engagement > Gateway > Log
Request and download a log for the intended date
The downloaded file content is described in the Gateway Traffic Logs doc.
Search in the files for the request URL, method, and UTC timestamp to identify the hacker.