Note: The personal IP addresses of hackers are not shared through the Gateway logs due to compliance reasons. All of the Gateway hacker’s traffic will come from the same IP address(es). Hence, personal IP addresses will not be available in your internal logs, but the allowlisted Gateway IP addresses will be available.
Prerequisites
Traffic log tracking on HackerOne Gateway should be enabled for your program.
Collect the request details from your internal logs:
Source IP address
URL / IP address
Method
UTC timestamp
The source IP address should match the allowlisted IP address(es) on your HackerOne Gateway program at the time of the request.
Identification Methods
You can identify hackers by filtering activities and/or searching in the log files. Here are the differences between these methods:
Log files contain more request details compared to the Activity page. However, all the requests show up in both places.
Downloaded log files provide more recent data that will include requests made 3-4 minutes earlier, whereas the logs are synced every 20 minutes to the Activity page.
Filter Activities
Navigate to Program Settings > Hacker Engagement > Gateway > Activity
Click the advanced filter button to see the Start and End timestamp fields
Enter timestamps to match the UTC timestamp from your logs. Adjust the timestamp filter as needed.
To further refine the search results, enter the request URL in the search bar
You should see the results matching your query
Log File Search
Navigate to Program Settings > Hacker Engagement > Gateway > Log
Request and download a log for the intended date
The downloaded file content is described here
Search in the files for the request URL, method, and UTC timestamp to identify the hacker