Skip to main content
All CollectionsAutomations
Automations Overview
Automations Overview

Organizations: Introduction to and limitations of automations at HackerOne

Updated over a week ago

Product Overview

HackerOne Automations engine helps you address the struggles of manual task handling, inefficiencies, time to resolution, and much more throughout your vulnerability management process.

Streamline and optimize your vulnerability response workflows with automations. Choose from a library of default templates that let users with little to no coding experience reduce manual task handling. For more complex workflows, Custom Automations give your development teams full control and flexibility to build directly within the HackerOne platform.

Every automation you create is deployed and hosted in a secure, purpose-built cloud solution with full read and write access to the HackerOne API, eliminating the need to manage additional infrastructure.

  • Faster Time to Value: HackerOne’s secure and purpose-built automation cloud architecture lets you integrate the full power of the HackerOne API, sidestepping lengthy compliance and security processes often associated with hosting your own cloud infrastructure.

  • Accelerate Vulnerability Analysis: Tap into Hai’s AI power to perform vulnerability analysis automatically during key steps of your vulnerability response process.

  • Data Accuracy: Automatically enrich reports with additional context and metadata for more informed security decisions with more accurate and complete data.

  • Communication and Visibility: Ensure the right stakeholders and SMEs have visibility at the right steps, inside the right systems, throughout your vulnerability response process.

  • Eliminate Manual Data Handling: Assign custom fields and configure report queues based on report actions, contents, or other key events.

  • Event-Driven Actions: Automations can listen to one or multiple events, enabling sophisticated, multi-trigger workflows.

What are Automations?

HackerOne Automations enable programs to automate parts of their program management. This can be helpful when dealing with a high influx of vulnerability submissions or streamlining a particular workflow.

At HackerOne, actions can be performed on reports to create report activities. When these activities are created, they dispatch an event. Automations can be subscribed to these events and will run whenever one of these events occurs or can be scheduled to run hourly, daily, weekly, or monthly.

For example, when a vulnerability report is submitted to a program, the BugFiled activity is created. This will dispatch a Report Created event. Check out Activity and Event Mapping to learn more about activities and their events. You can create an automation to listen to this event and automatically assign the report to an inbox based on the asset that is linked to the vulnerability report. Check out How to Create an Automation to learn more.

Every automation run is recorded and can be found by clicking on the “view runs” button in the kebab menu (three vertical dots). These run logs are automatically deleted after 3 months.

There are some limitations to what you are allowed to do with automations. Check out Limitations of Automations to learn more.

Limitations of Automations

There are some limitations to HackerOne automations.

  • Your automation can only interact with HackerOne’s API. It cannot make calls to external APIs.

  • Only organization admins can create automations.

  • Automations will be scheduled for execution immediately after a trigger event is observed and will be executed soon thereafter. Execution can not be manually delayed.

  • Automations cannot be triggered by an external event.

  • Automations can not run for longer than 5 minutes. After 5 minutes, the automation will automatically halt execution.

  • Automations are run in a node.js (v20.x) environment with a memory limit of 512 megabytes. If this limit is exceeded, the automation will automatically halt execution

  • Automations can not trigger other automations. For example, when an automation posts a comment on a report, the ReportCommentCreated event that follows will be ignored by all automations.

  • Automation run logs are automatically deleted after 3 months.

Setting the Automation Run Status and Comment

Your automation script can return a status and/or comment anytime in its lifecycle. To do this, return an object with one or both of the following fields:

  • status – Sets the automation run status. Currently, only "noop" is accepted, which concludes the run with a "No operation" status.

  • comment – Adds an optional message (max 255 characters) to the automation run.

Example:

{
"status": "noop",
"comment": "Skipped due to incompatible conditions."
}

If you don’t need to set a status or comment but you still want to end the run preemptively, you can return undefined at any time.

Email a Fellow Organization Member via the API

Users of the API can use the /email endpoint to send emails to users within their organizations. With our automation features, you can integrate your workflows deeply into our Vulnerability Elimination Workflow.

We’ve introduced some automation templates where Hai performs a specific operation and sends the results via email. One of these is our ROM template, which generates a ROM report using Hai and sends it out through this new API endpoint. You can go to our automation library, find an email-based automation, and have an automation up and running! Code-savvy users can also use this API call directly in their automation code. We wrap the email contents with clear messaging, indicating that the email originates from the HackerOne platform and showing which fellow organization members sent the email.

We only allow emails to be sent to fellow organization members. This limitation exists because we’re not comfortable sending emails to any address, and it also means that we can not send emails to researchers.

Did this answer your question?