Skip to main content
All CollectionsAutomations
Automations Overview
Automations Overview

Organizations: Introduction to and limitations of automations at HackerOne

Updated over a week ago

Product Overview

HackerOne Automations engine helps you address the struggles of manual task handling, inefficiencies, time to resolution, and much more throughout your vulnerability management process.

Streamline and optimize your vulnerability response workflows with automations. Choose from a library of default templates that let users with little to no coding experience reduce manual task handling. For more complex workflows, Custom Automations give your development teams full control and flexibility to build directly within the HackerOne platform.

Every automation you create is deployed and hosted in a secure, purpose-built cloud solution with full read and write access to the HackerOne API, eliminating the need to manage additional infrastructure.

  • Faster Time to Value: HackerOne’s secure and purpose-built automation cloud architecture lets you integrate the full power of the HackerOne API, sidestepping lengthy compliance and security processes often associated with hosting your own cloud infrastructure.

  • Accelerate Vulnerability Analysis: Tap into Hai’s AI power to perform vulnerability analysis automatically during key steps of your vulnerability response process.

  • Data Accuracy: Automatically enrich reports with additional context and metadata for more informed security decisions with more accurate and complete data.

  • Communication and Visibility: Ensure the right stakeholders and SMEs have visibility at the right steps, inside the right systems, throughout your vulnerability response process.

  • Eliminate Manual Data Handling: Assign custom fields and configure report queues based on report actions, contents, or other key events.

  • Event-Driven Actions: Automations can listen to one or multiple events, enabling sophisticated, multi-trigger workflows.

What are Automations?

HackerOne Automations enable programs to automate parts of their program management. This can be helpful when dealing with a high influx of vulnerability submissions or streamlining a particular workflow.

At HackerOne, actions can be performed on reports to create report activities. When these activities are created, they dispatch an event. Automations can be subscribed to these events and will run whenever one of these events occurs or can be scheduled to run hourly, daily, weekly, or monthly.

For example, when a vulnerability report is submitted to a program, the BugFiled activity is created. This will dispatch a Report Created event. Check out Activity and Event Mapping to learn more about activities and their events. You can create an automation to listen to this event and automatically assign the report to an inbox based on the asset that is linked to the vulnerability report. Check out How to Create an Automation to learn more.

Every automation run is recorded and can be found by clicking on the “view runs” button in the kebab menu (three vertical dots). These run logs are automatically deleted after 3 months.

There are some limitations to what you are allowed to do with automations. Check out Limitations of Automations to learn more.

Limitations of Automations

There are some limitations to HackerOne automations.

  • Your automation can only interact with HackerOne’s API. It is not possible to make calls to external APIs.

  • Only organization admins can create automations.

  • Automations will be scheduled for execution immediately after a trigger event is observed and will be executed soon thereafter. Execution can not be manually delayed.

  • Automations cannot be triggered by an external event.

  • Automations can not run for longer than 5 minutes. After 5 minutes, the automation will automatically halt execution.

  • Automations are run in a node.js (v20.x) environment with a memory limit of 512 megabytes. If this limit is exceeded, the automation will automatically halt execution

  • Automations can not trigger other automations. For example, when an automation posts a comment on a report, the ReportCommentCreated event that follows will be ignored by all automations.

  • Automation run logs are automatically deleted after 3 months.

Did this answer your question?