# Hackerone Scraper (`filakovsky/hackerone-scraper`) Actor This Actor scrapes publicly disclosed vulnerability reports from the HackerOne Hacktivity feed - the industry's largest collection of real-world bug bounty disclosures. - **URL**: https://apify.com/filakovsky/hackerone-scraper.md - **Developed by:** [Daniel Filakovsky](https://apify.com/filakovsky) (community) - **Categories:** Developer tools, Automation, Other - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing Pay per usage This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## HackerOne Hacktivity Scraper ### What does HackerOne Hacktivity Scraper do? This Actor scrapes publicly disclosed vulnerability reports from the [HackerOne Hacktivity feed](https://hackerone.com/hacktivity/overview) — the industry's largest collection of real-world bug bounty disclosures. It acts as a **HackerOne API alternative** for the Hacktivity feed, letting you extract structured data without manual browsing. Use it to monitor new disclosures, build threat-intelligence datasets, or research vulnerability trends across programs. > **Note:** Only publicly disclosed reports are collected. Private or undisclosed reports are never accessible through this Actor. ### Why scrape HackerOne Hacktivity? The Hacktivity feed is a goldmine of real-world vulnerability intelligence, but HackerOne provides no public API for bulk access. This Actor closes that gap. **Use cases:** - **Threat intelligence** — track newly disclosed CVEs and bug classes across hundreds of programs - **Security research** — build datasets of vulnerability patterns, reward distributions, and severity trends - **Vendor monitoring** — watch for disclosures affecting a specific company's bug bounty program - **Bug bounty strategy** — identify high-rewarding vulnerability categories to focus on - **Compliance & reporting** — pull structured data into spreadsheets, dashboards, or SIEMs **Platform advantages when running on Apify:** - Schedule runs on a cron to continuously monitor new disclosures - Download results as JSON, CSV, Excel, or XML - Connect to 2,000+ integrations via Zapier, Make, or the Apify API - Use residential proxies to avoid rate limiting ### What data can HackerOne Hacktivity Scraper extract? | Field | Type | Description | |---|---|---| | `title` | string | Report title / vulnerability description | | `severity` | string | `critical`, `high`, `medium`, `low`, or `none` | | `reward` | number | Bounty awarded in USD (0 if unpaid) | | `currency` | string | Reward currency (usually `USD`) | | `vendorName` | string | Bug bounty program / company name | | `vendorHandle` | string | Program handle on HackerOne | | `category` | string | Vulnerability class (e.g. XSS, SSRF, SQL Injection) | | `disclosedDate` | string | ISO-8601 date when the report was publicly disclosed | | `url` | string | Direct link to the public report on HackerOne | | `reporterUsername` | string | Handle of the security researcher who found the bug | ### How to scrape HackerOne Hacktivity 1. **Open the Actor** on the Apify platform and click **Try for free**. 2. **Configure filters** in the Input tab (see the Input section below). 3. Click **Start** and wait for the run to finish — most runs complete in under a minute. 4. **Download results** from the Output tab in JSON, CSV, or Excel format. 5. **Schedule it** via the Schedule tab to get fresh disclosures automatically. ### How much will it cost to scrape HackerOne Hacktivity? This Actor uses a headless browser only for the initial page load, then switches to lightweight HTTP requests for pagination. A typical run of 100 items consumes well under 0.1 Apify Compute Units (CU), which is covered by the free tier. | Items | Estimated CU | Free tier | |---|---|---| | 100 | ~0.05 CU | ✅ Covered | | 1 000 | ~0.2 CU | ✅ Covered | | 10 000 | ~1.5 CU | Requires paid plan | ### Input See the **Input** tab for the full configuration form. Key options: | Parameter | Type | Default | Description | |---|---|---|---| | `severityFilter` | array | `[]` (all) | Limit to specific severity levels: `critical`, `high`, `medium`, `low`, `none` | | `minReward` | integer | `0` | Only include reports with a bounty ≥ this USD amount | | `daysBack` | integer | *(all time)* | Only include reports disclosed in the last N days | | `maxItems` | integer | `100` | Stop after collecting this many matching reports | **Example — collect the 50 most recently disclosed critical/high reports with a reward of at least $1 000:** ```json { "severityFilter": ["critical", "high"], "minReward": 1000, "daysBack": 90, "maxItems": 50 } ```` ### Output You can download the dataset in various formats such as **JSON, CSV, Excel, or HTML** from the Output tab. **Sample output (JSON):** ```json [ { "title": "Remote Code Execution via unsafe YAML deserialization", "severity": "critical", "reward": 20000, "currency": "USD", "vendorName": "Acme Corp", "vendorHandle": "acmecorp", "category": "Remote Code Execution", "disclosedDate": "2024-03-15T09:22:00.000Z", "url": "https://hackerone.com/reports/123456", "reporterUsername": "researcher_handle" }, { "title": "Stored XSS in profile bio field allows account takeover", "severity": "high", "reward": 2500, "currency": "USD", "vendorName": "Example Inc", "vendorHandle": "exampleinc", "category": "Cross-Site Scripting (XSS)", "disclosedDate": "2024-03-10T14:05:00.000Z", "url": "https://hackerone.com/reports/654321", "reporterUsername": "another_researcher" } ] ``` ### Tips - **Date ordering:** Hacktivity is displayed newest-first by default. When `daysBack` is set the Actor stops fetching once it encounters reports older than the cutoff, making date-filtered runs very fast. - **Severity + reward filters:** These are applied client-side. Combining a tight severity filter with a high `minReward` may require fetching more pages than the final count suggests. - **Large datasets:** For runs above 1 000 items set `maxItems` explicitly to avoid unexpectedly long run times. - **Rate limiting:** The Actor respects HackerOne's natural page size and does not hammer the server. No additional delays are needed for typical use. ### FAQ, Disclaimers, and Support **Is scraping HackerOne legal?** This Actor only accesses publicly disclosed data that HackerOne makes available to anyone with a browser. No authentication, credentials, or private data are involved. **Data privacy notice:** > Our Actors are ethical and do not extract any private user data, such as email addresses, gender, or location. They only extract what the user has chosen to share publicly. We therefore believe that our Actors, when used for ethical purposes by Apify users, are safe. However, you should be aware that your results could contain personal data. Personal data is protected by the GDPR in the European Union and by other regulations around the world. You should not scrape personal data unless you have a legitimate reason to do so. If you're unsure whether your reason is legitimate, consult your lawyers. **The Actor fails or returns no results.** HackerOne occasionally changes its internal GraphQL API. If the Actor stops working, please report it via the **Issues** tab and it will be fixed promptly. **How do I access results programmatically?** Use the Apify **API** tab to get a REST endpoint for your dataset. Results can be fetched as JSON, CSV, or XML. For bugs and feature requests, please use the **Issues** tab on the Actor page. # Actor input Schema ## `severityFilter` (type: `array`): Only include reports matching these severity levels. Leave empty to include all severities. ## `minReward` (type: `integer`): Only include reports where the awarded bounty is at least this amount (in USD). Set to 0 to include all reports, including those with no reward. ## `daysBack` (type: `integer`): Only include reports disclosed within the last N days. Leave empty to include all time. ## `maxItems` (type: `integer`): Maximum number of matching items to collect. The actor stops once this limit is reached. ## Actor input object example ```json { "severityFilter": [ "critical", "high" ], "minReward": 0, "daysBack": 30, "maxItems": 100 } ``` # Actor output Schema ## `dataset` (type: `string`): No description # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "severityFilter": [ "critical", "high" ], "daysBack": 30 }; // Run the Actor and wait for it to finish const run = await client.actor("filakovsky/hackerone-scraper").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "severityFilter": [ "critical", "high", ], "daysBack": 30, } # Run the Actor and wait for it to finish run = client.actor("filakovsky/hackerone-scraper").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "severityFilter": [ "critical", "high" ], "daysBack": 30 }' | apify call filakovsky/hackerone-scraper --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=filakovsky/hackerone-scraper", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Hackerone Scraper", "description": "This Actor scrapes publicly disclosed vulnerability reports from the HackerOne Hacktivity feed - the industry's largest collection of real-world bug bounty disclosures.", "version": "0.0", "x-build-id": "rHGFe2Rsuacp1KcVn" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/filakovsky~hackerone-scraper/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-filakovsky-hackerone-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/filakovsky~hackerone-scraper/runs": { "post": { "operationId": "runs-sync-filakovsky-hackerone-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/filakovsky~hackerone-scraper/run-sync": { "post": { "operationId": "run-sync-filakovsky-hackerone-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "severityFilter": { "title": "Severity Filter", "type": "array", "description": "Only include reports matching these severity levels. Leave empty to include all severities.", "items": { "type": "string", "enum": [ "critical", "high", "medium", "low", "none" ] }, "default": [] }, "minReward": { "title": "Minimum Reward (USD)", "minimum": 0, "type": "integer", "description": "Only include reports where the awarded bounty is at least this amount (in USD). Set to 0 to include all reports, including those with no reward.", "default": 0 }, "daysBack": { "title": "Disclosed in Last N Days", "minimum": 1, "type": "integer", "description": "Only include reports disclosed within the last N days. Leave empty to include all time." }, "maxItems": { "title": "Maximum Items", "minimum": 1, "maximum": 10000, "type": "integer", "description": "Maximum number of matching items to collect. The actor stops once this limit is reached.", "default": 100 } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```