Skip to main content
Gateway - Hacker Identification

Organizations: How to identify hackers based on your internal logs using Gateway features

Updated over 3 months ago

For compliance reasons, the personal IP addresses of hackers are not shared through the Gateway logs. All of the Gateway hacker’s traffic will come from the same IP address(es). Hence, personal IP addresses will not be available in your internal logs, but the allowlisted Gateway IP addresses will.

Prerequisites

  • Enable traffic log tracking on HackerOne Gateway for your program.

  • Collect the request details from your internal logs:

    • Source IP address

    • URL / IP address

    • Method

    • UTC timestamp

  • Make sure the source IP address matches the allowlisted IP address(es) on your HackerOne Gateway program when making the request.

sheet showing the allowlisted IP addresses for the program

Identification Methods

You can identify hackers by filtering activities and/or searching in the log files. Here are the differences between these methods:

  • Log files contain more request details than the Activity page. However, all the requests show up in both places.

  • Downloaded log files provide more recent data that will include requests made 3-4 minutes earlier, whereas the logs are synced every 20 minutes to the Activity page.

Filter Activities

  1. Navigate to Program Settings > Hacker Engagement > Gateway > Activity

  2. Click the advanced filter button to see the Start and End timestamp fields

  3. Enter timestamps to match the UTC timestamp from your logs. Adjust the timestamp filter as needed.

  4. To further refine the search results, enter the request URL in the search bar

  5. You should see the results matching your query

filtering activities screen

Log File Search

  1. Navigate to Program Settings > Hacker Engagement > Gateway > Log

  2. Request and download a log for the intended date

  3. The downloaded file content is described in the Gateway Traffic Logs doc.

  4. Search in the files for the request URL, method, and UTC timestamp to identify the hacker.

Download hacker traffic logs prompt

Did this answer your question?