Pricing

Pay per usage

Hackerone Scraper

This Actor scrapes publicly disclosed vulnerability reports from the HackerOne Hacktivity feed - the industry's largest collection of real-world bug bounty disclosures.

Pricing

Pay per usage

Rating

0.0

(0)

Developer

Daniel Filakovsky

Actor stats

Bookmarked

Total users

Monthly active users

6 days ago

Last modified

HackerOne Hacktivity Scraper

What does HackerOne Hacktivity Scraper do?

This Actor scrapes publicly disclosed vulnerability reports from the HackerOne Hacktivity feed — the industry's largest collection of real-world bug bounty disclosures. It acts as a HackerOne API alternative for the Hacktivity feed, letting you extract structured data without manual browsing. Use it to monitor new disclosures, build threat-intelligence datasets, or research vulnerability trends across programs.

Note: Only publicly disclosed reports are collected. Private or undisclosed reports are never accessible through this Actor.

Why scrape HackerOne Hacktivity?

The Hacktivity feed is a goldmine of real-world vulnerability intelligence, but HackerOne provides no public API for bulk access. This Actor closes that gap.

Use cases:

Threat intelligence — track newly disclosed CVEs and bug classes across hundreds of programs
Security research — build datasets of vulnerability patterns, reward distributions, and severity trends
Vendor monitoring — watch for disclosures affecting a specific company's bug bounty program
Bug bounty strategy — identify high-rewarding vulnerability categories to focus on
Compliance & reporting — pull structured data into spreadsheets, dashboards, or SIEMs

Platform advantages when running on Apify:

Schedule runs on a cron to continuously monitor new disclosures
Download results as JSON, CSV, Excel, or XML
Connect to 2,000+ integrations via Zapier, Make, or the Apify API
Use residential proxies to avoid rate limiting

What data can HackerOne Hacktivity Scraper extract?

Field	Type	Description
`title`	string	Report title / vulnerability description
`severity`	string	`critical`, `high`, `medium`, `low`, or `none`
`reward`	number	Bounty awarded in USD (0 if unpaid)
`currency`	string	Reward currency (usually `USD`)
`vendorName`	string	Bug bounty program / company name
`vendorHandle`	string	Program handle on HackerOne
`category`	string	Vulnerability class (e.g. XSS, SSRF, SQL Injection)
`disclosedDate`	string	ISO-8601 date when the report was publicly disclosed
`url`	string	Direct link to the public report on HackerOne
`reporterUsername`	string	Handle of the security researcher who found the bug

How to scrape HackerOne Hacktivity

Open the Actor on the Apify platform and click Try for free.
Configure filters in the Input tab (see the Input section below).
Click Start and wait for the run to finish — most runs complete in under a minute.
Download results from the Output tab in JSON, CSV, or Excel format.
Schedule it via the Schedule tab to get fresh disclosures automatically.

How much will it cost to scrape HackerOne Hacktivity?

This Actor uses a headless browser only for the initial page load, then switches to lightweight HTTP requests for pagination. A typical run of 100 items consumes well under 0.1 Apify Compute Units (CU), which is covered by the free tier.

Items	Estimated CU	Free tier
100	~0.05 CU	✅ Covered
1 000	~0.2 CU	✅ Covered
10 000	~1.5 CU	Requires paid plan

Input

See the Input tab for the full configuration form. Key options:

Parameter	Type	Default	Description
`severityFilter`	array	`[]` (all)	Limit to specific severity levels: `critical`, `high`, `medium`, `low`, `none`
`minReward`	integer	`0`	Only include reports with a bounty ≥ this USD amount
`daysBack`	integer	(all time)	Only include reports disclosed in the last N days
`maxItems`	integer	`100`	Stop after collecting this many matching reports

Example — collect the 50 most recently disclosed critical/high reports with a reward of at least $1 000:

{
    "severityFilter": ["critical", "high"],
    "minReward": 1000,
    "daysBack": 90,
    "maxItems": 50
}

Output

You can download the dataset in various formats such as JSON, CSV, Excel, or HTML from the Output tab.

Sample output (JSON):

[
  {
    "title": "Remote Code Execution via unsafe YAML deserialization",
    "severity": "critical",
    "reward": 20000,
    "currency": "USD",
    "vendorName": "Acme Corp",
    "vendorHandle": "acmecorp",
    "category": "Remote Code Execution",
    "disclosedDate": "2024-03-15T09:22:00.000Z",
    "url": "https://hackerone.com/reports/123456",
    "reporterUsername": "researcher_handle"
  },
  {
    "title": "Stored XSS in profile bio field allows account takeover",
    "severity": "high",
    "reward": 2500,
    "currency": "USD",
    "vendorName": "Example Inc",
    "vendorHandle": "exampleinc",
    "category": "Cross-Site Scripting (XSS)",
    "disclosedDate": "2024-03-10T14:05:00.000Z",
    "url": "https://hackerone.com/reports/654321",
    "reporterUsername": "another_researcher"
  }
]

Tips

Date ordering: Hacktivity is displayed newest-first by default. When daysBack is set the Actor stops fetching once it encounters reports older than the cutoff, making date-filtered runs very fast.
Severity + reward filters: These are applied client-side. Combining a tight severity filter with a high minReward may require fetching more pages than the final count suggests.
Large datasets: For runs above 1 000 items set maxItems explicitly to avoid unexpectedly long run times.
Rate limiting: The Actor respects HackerOne's natural page size and does not hammer the server. No additional delays are needed for typical use.

FAQ, Disclaimers, and Support

Is scraping HackerOne legal? This Actor only accesses publicly disclosed data that HackerOne makes available to anyone with a browser. No authentication, credentials, or private data are involved.

Data privacy notice:

Our Actors are ethical and do not extract any private user data, such as email addresses, gender, or location. They only extract what the user has chosen to share publicly. We therefore believe that our Actors, when used for ethical purposes by Apify users, are safe. However, you should be aware that your results could contain personal data. Personal data is protected by the GDPR in the European Union and by other regulations around the world. You should not scrape personal data unless you have a legitimate reason to do so. If you're unsure whether your reason is legitimate, consult your lawyers.

The Actor fails or returns no results. HackerOne occasionally changes its internal GraphQL API. If the Actor stops working, please report it via the Issues tab and it will be fixed promptly.

How do I access results programmatically? Use the Apify API tab to get a REST endpoint for your dataset. Results can be fetched as JSON, CSV, or XML.

For bugs and feature requests, please use the Issues tab on the Actor page.

Bug Bounty Recon Scanner

iamuendo/Bug-Bounty-Recon-Scanner

Find exposed admin panels, missing/weak security headers, sensitive file leaks, and HTTPS misconfigurations across target domains. Export prioritised risk scores and JSON reports. Run via API, schedule scans, or integrate with bug bounty tools.

Isaac Muendo

Automated reconnaissance actor for bug bounty hunters

wonderful_beluga/automated-reconnaissance-actor-for-bug-bounty-hunters

This Apify actor automates bug bounty recon by scraping the Wayback Machine and GitHub for legacy attack surfaces. It extracts historical URLs, public code, and deprecated files, parsing them to uncover hidden subdomains and forgotten API endpoints. The findings are saved into structured JSON files.

Zaher el siddik

💎ESG Scraper: Sustainability Reports & PDF Disclosures

primeparse/esg-content-scraper

Powerful ESG scraper (Environmental, Social, and Governance) to automatically extract sustainability reports, PDF disclosures, articles, and content from any website. Get clean, AI-ready datasets with keyword filtering, metadata extraction, images, links, and full PDF support.

PrimeParse

5.0

Partnerbase

canadesk/partnerbase

Research new opportunities in your ecosystem with the world's largest database of partnerships! It's fast and costs little.

Canadesk Support

Rss Feed Scraper

technicaldost/rss-feed-scraper

Technical Dost Solutions

NVD CVE Vulnerability Search

ryanclinton/nvd-cve-vulnerability-search

NVD CVE Vulnerability Search queries the NIST National Vulnerability Database (NVD) REST API v2.0 to retrieve detailed information about Common Vulnerabilities and Exposures (CVEs). The NVD is the U.S.

ryan clinton

Google Play Review & Bug Report Extractor (AI-Powered)

apilab/google-play-review-bug-report-extractor

Extracts Google Play reviews and automatically converts them into structured bug reports. It identifies technical issues, assigns severity, suggests owners (Product/Engineering), and summarizes user complaints into actionable insights. Perfect for automating your QA and product feedback loop.

Apilab

CVE Monitor — New Vulnerability Feed with Alerts

mukedlii/nvd-cve-monitor

Monitor the NIST National Vulnerability Database (NVD) for new and updated CVEs. Filter by vendor, product, CVSS score, or severity level. Get instant Telegram alerts when critical vulnerabilities affect your stack.