Traffic log tracking on HackerOne Gateway should be enabled for your program.
Collect the request details from your internal logs:
Source IP address
URL / IP address
The source IP address should match the allowlisted IP address(es) on your HackerOne Gateway program at the time of the request.
You can identify hackers by filtering activities and/or searching in the log files. Here are the differences between these methods:
Log files contain more request details compared to the Activity page. However, all the requests show up in both places.
Downloaded log files provide more recent data that will include requests made 3-4 minutes earlier, whereas the logs are synced every 20 minutes to the Activity page.
Navigate to Program Settings > Hacker Engagement > Gateway > Activity
Click the advanced filter button to see the Start and End timestamp fields
Enter timestamps to match the UTC timestamp from your logs. Adjust the timestamp filter as needed.
To further refine the search results, enter the request URL in the search bar
You should see the results matching your query
Log File Search
Navigate to Program Settings > Hacker Engagement > Gateway > Log
Request and download a log for the intended date
The downloaded file content is described here
Search in the files for the request URL, method, and UTC timestamp to identify the hacker