HackerOne Programs Scraper
Pricing
Pay per event
HackerOne Programs Scraper
Extract public HackerOne bug bounty program data, bounty ranges, submission status, response metrics, and policy URLs for OSINT and sales.
Pricing
Pay per event
Rating
0.0
(0)
Developer
Stas Persiianenko
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
3 days ago
Last modified
Categories
Share
Extract public HackerOne bug bounty and vulnerability disclosure program data from the HackerOne directory.
Use it to monitor program launches, bounty ranges, public response metrics, submission status, and policy URLs without logging in.
What does HackerOne Programs Scraper do?
HackerOne Programs Scraper collects public program records from hackerone.com/directory/programs.
It uses the same public GraphQL data source that powers the HackerOne directory.
The actor returns one dataset row per public program.
Each row includes identity, URLs, status, bounty metadata, and public program metrics.
It does not access private reports.
It does not submit vulnerabilities.
It does not require HackerOne credentials.
Who is it for?
Security sales teams use it to find companies running active disclosure or bounty programs.
Compliance teams use it to monitor vendor security maturity signals.
OSINT analysts use it to build a public bug bounty intelligence dataset.
Bug bounty researchers use it to discover newly launched programs.
Partnership teams use it to enrich account lists with HackerOne program status.
Why use this actor?
HackerOne's directory is useful, but manual checking is slow.
This actor turns the directory into structured data.
You can export to JSON, CSV, Excel, Google Sheets, BigQuery, or your CRM.
You can run it on a schedule to detect new programs.
You can target exact handles when you only need known companies.
Data you can extract
| Field | Description |
|---|---|
handle | HackerOne program handle |
name | Public program name |
programUrl | HackerOne program URL |
policyUrl | Public policy/team URL |
submissionState | Public submission state |
isAcceptingSubmissions | Whether submissions are open |
triageActive | Public triage flag |
resolvedReportCount | Public resolved report count when available |
currency | Bounty currency |
minimumBounty | Public minimum bounty value |
averageBountyLower | Lower public average bounty estimate |
averageBountyUpper | Upper public average bounty estimate |
launchedAt | Public launch timestamp |
scrapedAt | Extraction timestamp |
How much does it cost to scrape HackerOne programs?
This actor uses pay-per-event pricing.
There is a small start charge per run.
There is a per-program charge for each saved dataset item.
Use maxItems to control the run size.
The default input saves 20 programs for a cheap first run.
Large monitoring jobs can use Apify schedules and dataset exports.
Input options
maxItems sets the maximum number of public programs to save.
handles accepts exact HackerOne handles or full program URLs.
sortBy controls the public directory order for broad scrapes. The stable public option is newest launches first.
openOnly keeps only programs accepting submissions.
bountyOnly keeps only programs with public bounty metadata.
Example input
{"maxItems": 100,"sortBy": "launched_at_desc","openOnly": false,"bountyOnly": false}
Scrape exact HackerOne programs
Use handles when you already know the companies to check.
{"handles": ["github", "anthropic-cyber-jailbreak"],"maxItems": 2}
Handles can also be full URLs.
For example, https://hackerone.com/github is normalized to github.
Output example
{"handle": "anthropic-cyber-jailbreak","name": "Anthropic Cyber Jailbreak","programUrl": "https://hackerone.com/anthropic-cyber-jailbreak","submissionState": "open","isAcceptingSubmissions": true,"currency": "usd","minimumBounty": null,"launchedAt": "2026-07-01T03:13:54.818Z"}
How to run
Open the actor on Apify.
Enter a maximum item count.
Optionally add specific HackerOne handles.
Choose filters.
Click Start.
Download the dataset when the run succeeds.
Tips for best results
Use launched_at_desc to monitor new program launches.
Sort or filter by resolvedReportCount in your exported dataset when you need established programs with more public activity.
Use bountyOnly when you only need programs with public reward data.
Use exact handles for CRM or vendor enrichment.
Keep scheduled runs small if you only need daily deltas.
Integrations
Send new program rows to Slack for security intelligence alerts.
Export bounty metadata to Google Sheets for manual review.
Sync program URLs to a CRM account enrichment workflow.
Load results into BigQuery for historical trend analysis.
Connect Apify webhooks to trigger downstream compliance checks.
API usage
Run the actor from Node.js:
import { ApifyClient } from 'apify-client';const client = new ApifyClient({ token: process.env.APIFY_TOKEN });const run = await client.actor('automation-lab/hackerone-programs-scraper').call({maxItems: 100,sortBy: 'launched_at_desc'});console.log(run.defaultDatasetId);
Run the actor from Python:
from apify_client import ApifyClientclient = ApifyClient('YOUR_APIFY_TOKEN')run = client.actor('automation-lab/hackerone-programs-scraper').call({'maxItems': 100,'sortBy': 'launched_at_desc',})print(run['defaultDatasetId'])
Run the actor with cURL:
curl "https://api.apify.com/v2/acts/automation-lab~hackerone-programs-scraper/runs?token=$APIFY_TOKEN" \-H 'Content-Type: application/json' \-d '{"maxItems":100,"sortBy":"launched_at_desc"}'
MCP usage
Use this actor from Claude Code through Apify MCP.
MCP tool URL:
https://mcp.apify.com/?tools=automation-lab/hackerone-programs-scraper
Claude Code setup:
$claude mcp add apify-hackerone-programs https://mcp.apify.com/?tools=automation-lab/hackerone-programs-scraper
Claude Desktop JSON config:
{"mcpServers": {"apify-hackerone-programs": {"url": "https://mcp.apify.com/?tools=automation-lab/hackerone-programs-scraper"}}}
Example prompt:
"Scrape the newest 100 HackerOne programs and summarize which ones accept submissions."
Another prompt:
"Check HackerOne handles github and anthropic-cyber-jailbreak and return bounty metadata."
Scheduling
Create an Apify schedule to run the actor daily or weekly.
Use a low maxItems value for daily launch monitoring.
Use a larger value for monthly market snapshots.
Export only new rows in your downstream workflow if you need deltas.
Legality and ethics
This actor extracts public directory data.
It does not bypass authentication.
It does not access private HackerOne reports.
It does not interact with vulnerability submission forms.
You are responsible for using exported data lawfully and respecting applicable terms.
Troubleshooting
If a handle returns no row, confirm the program is public and the handle is correct.
If no bounty values appear, the program may not expose public bounty metadata.
If a run is slower with bountyOnly, the actor may need to scan additional directory pages to find matching programs.
If you need private program data, this actor is not the right tool.
Related scrapers
Use other automation-lab security and OSINT actors to enrich vendor intelligence workflows.
For broader web enrichment, combine this actor with company website and contact discovery actors.
For link or compliance checks, export programUrl and policyUrl to downstream Apify actors.
FAQ
Does this actor need a HackerOne login?
No.
It uses public program directory data only.
Can it scrape vulnerability reports?
No.
The actor intentionally excludes private reports and submissions.
Can I monitor new HackerOne programs?
Yes.
Run with sortBy set to launched_at_desc and schedule recurring runs.
Can I scrape only companies I care about?
Yes.
Put exact handles or HackerOne URLs in handles.
Why are some bounty fields null?
Not every public program exposes reward amounts in the directory.
Null values mean HackerOne did not expose that field publicly for the program.
Changelog
Initial version extracts public HackerOne program directory rows, exact handles, sorting, and filters.