HackerOne + GitHub
Automate Security Vulnerability Management by Integrating HackerOne with GitHub
Connect your bug bounty program to your development workflow so security findings get fixed faster and your code ships safer.
Why integrate HackerOne and GitHub?
HackerOne is the world's leading bug bounty and vulnerability disclosure platform. GitHub is where development teams manage their code, issues, and pull requests. Together, they close the gap between security researchers and the engineers who fix what they find. Without an integration, the handoff between the two is manual, slow, and full of opportunities for findings to get lost.
Automate & integrate HackerOne & GitHub
Use case
Auto-Create GitHub Issues from HackerOne Reports
When a vulnerability report on HackerOne is triaged and validated, automatically create a corresponding GitHub Issue in the relevant repository with full context, severity, and reproduction steps. No more manual copy-paste between security and engineering. Developers can start remediation immediately, without waiting for a security team member to file a ticket.
Use case
Sync HackerOne Report Status from GitHub Issue State
When a developer closes a GitHub Issue tied to a HackerOne report, automatically update the report status in HackerOne to 'Resolved' or the appropriate stage. Developers never need to log into HackerOne. The sync also triggers disclosure timelines and researcher reward notifications on the HackerOne side.
Use case
Escalate Critical Vulnerabilities to GitHub Projects
When a HackerOne report comes in as Critical or High severity, automatically add the corresponding GitHub Issue to a designated security sprint or GitHub Project board. The most dangerous findings are immediately visible to engineering leads and land in the next sprint cycle. Teams can set severity thresholds to control what triggers escalation.
Use case
Link HackerOne CVE Disclosures to GitHub Security Advisories
When a HackerOne vulnerability is confirmed and a CVE is assigned, automatically draft or publish a corresponding GitHub Security Advisory in the affected repository. Open-source maintainers stay compliant with coordinated disclosure norms, and downstream dependents get notified through GitHub's advisory ecosystem. Advisory content stays consistent with the original HackerOne report.
Use case
Notify Development Teams via GitHub Commits and PR Comments
When a HackerOne report references a specific code area or component, automatically post a comment on related open pull requests or recent commits to alert developers of the active vulnerability. The finding surfaces exactly where code changes are happening, so developers can address it before anything merges to production.
Use case
Track Remediation SLAs Using GitHub Milestone Deadlines
When a report is triaged, automatically create GitHub Milestones with due dates based on HackerOne's severity SLA policies. Issues linked to a vulnerability get added to the milestone, giving engineering managers a clear deadline view. When a milestone is missed, a re-escalation workflow fires back in HackerOne to flag the overdue report.
Use case
Aggregate HackerOne Program Metrics into GitHub Wikis or Repos
On a schedule, pull summary statistics from HackerOne — report volume, average time to triage, resolution rates — and commit them as markdown reports to a GitHub repository or Wiki page. Leadership gets a centralized, version-controlled view of security program health without needing access to HackerOne dashboards.
Get started with HackerOne & GitHub integration today
HackerOne & GitHub Challenges
What challenges are there when working with HackerOne & GitHub and how will using Tray.ai help?
Challenge
Maintaining Bidirectional Status Sync Without Duplication
Keeping HackerOne report states and GitHub Issue statuses in sync is genuinely tricky. Updates on either side can trigger redundant loops, duplicate comments, or conflicting status changes if the integration isn't carefully orchestrated.
How Tray.ai Can Help:
Tray.ai's workflow logic lets teams add conditional checks and idempotency guards so status updates only propagate when something actually changed. Loop prevention is built directly into the workflow using state-awareness conditions, not bolted on afterward.
Challenge
Mapping Severity Schemas Between Platforms
HackerOne uses CVSS scores and its own severity taxonomy (Critical, High, Medium, Low). GitHub uses free-form labels and priority systems. Translating between them without losing nuance requires careful field mapping, and that mapping can break whenever either platform updates its schema.
How Tray.ai Can Help:
Tray.ai's data mapping and transformation tools let teams define explicit severity translation logic with version-controlled workflow configurations. When platforms change, updating the mapping is straightforward, and label application stays consistent across GitHub repositories.
Challenge
Routing Reports to the Correct GitHub Repository
Large engineering organizations can have hundreds of GitHub repositories. A HackerOne report needs to reach the right one based on the affected component, asset, or team. Getting this wrong manually is error-prone and slows down remediation.
How Tray.ai Can Help:
Tray.ai supports dynamic routing logic that reads HackerOne report metadata — affected asset, program tags, component keywords — and matches it against a lookup table of repository names. Each issue lands in the right place automatically.
Challenge
Handling HackerOne API Rate Limits During Bulk Operations
Bulk report exports, historical data syncs, and scheduled metric pulls can all hit HackerOne API rate limits, leaving you with incomplete syncs or failed workflow runs that are hard to diagnose and resume.
How Tray.ai Can Help:
Tray.ai has built-in retry logic, error handling branches, and configurable throttling controls so workflows handle rate limit responses gracefully. They pause, resume, and alert operators when something needs attention rather than failing silently.
Challenge
Securing Sensitive Vulnerability Data in Transit
Vulnerability report details are highly sensitive. Reproduction steps, proof-of-concept code, and CVE identifiers need to move securely between HackerOne and GitHub — premature disclosure or exposure in logs is a real risk.
How Tray.ai Can Help:
Tray.ai encrypts data in transit, supports token-based authentication for both HackerOne and GitHub API connections, and lets teams redact or mask sensitive fields within workflow steps. Vulnerability data stays compliant with responsible disclosure policies throughout.
Start using our pre-built HackerOne & GitHub templates today
Start from scratch or use one of our pre-built HackerOne & GitHub templates to quickly solve your most common use cases.
HackerOne & GitHub Templates
Find pre-built HackerOne & GitHub solutions for common use cases
Template
HackerOne Validated Report to GitHub Issue
Automatically creates a detailed GitHub Issue whenever a HackerOne vulnerability report moves to 'Triaged', mapping severity, CVSS score, and reproduction steps from the report into the issue body and labels.
Steps:
- Trigger: HackerOne report state changes to 'Triaged' or 'Needs Fix'
- Transform: Map HackerOne report fields (title, severity, description, CVSS) to GitHub Issue schema
- Action: Create a new GitHub Issue in the target repository with appropriate severity labels and assignees
Connectors Used: HackerOne, GitHub
Template
GitHub Issue Closed to HackerOne Report Resolution
Monitors GitHub for Issues tagged with a HackerOne report ID and, when closed, automatically updates the linked HackerOne report to 'Resolved', adds a resolution comment, and triggers the bounty payout workflow.
Steps:
- Trigger: GitHub Issue with a HackerOne label or reference is closed
- Lookup: Extract HackerOne report ID from the GitHub Issue body or label
- Action: Update HackerOne report state to 'Resolved' and post a resolution comment with the GitHub Issue URL
Connectors Used: GitHub, HackerOne
Template
Critical Severity HackerOne Report to GitHub Project Escalation
When a HackerOne report is rated Critical or High, instantly creates a GitHub Issue and adds it to a designated security GitHub Project board column, notifying the on-call security engineer via a GitHub assignment.
Steps:
- Trigger: HackerOne report created or updated with Critical or High severity rating
- Action: Create a GitHub Issue with a 'Security:Critical' label and link back to the HackerOne report
- Action: Add the GitHub Issue to the Security Sprint GitHub Project board and assign to the on-call engineer
Connectors Used: HackerOne, GitHub
Template
HackerOne CVE to GitHub Security Advisory Draft
When a CVE is assigned to a HackerOne vulnerability, automatically creates a draft GitHub Security Advisory in the affected repository, pre-populated with the vulnerability description, affected versions, and CVE identifier.
Steps:
- Trigger: HackerOne report receives a CVE assignment or moves to 'Disclosed' state
- Transform: Map report details to GitHub Security Advisory fields including severity, affected packages, and CVE ID
- Action: Create a draft GitHub Security Advisory in the specified repository for security team review and publication
Connectors Used: HackerOne, GitHub
Template
Scheduled HackerOne Metrics Report Committed to GitHub
Runs weekly to fetch HackerOne program statistics — open reports, average MTTR, bounty spend — and commits a formatted markdown summary to a designated GitHub repository for stakeholder review.
Steps:
- Trigger: Scheduled weekly timer fires
- Action: Query HackerOne API for program metrics including report counts, severity breakdown, and resolution times
- Action: Format data as a markdown report and commit the file to a GitHub repository with a timestamped filename
Connectors Used: HackerOne, GitHub
Template
New HackerOne Program Invitation Synced to GitHub Team Access
When a new researcher is formally added to a private HackerOne program, automatically grants them read access to a designated GitHub repository containing program-specific scope documentation, integration test environments, or security tooling.
Steps:
- Trigger: New researcher invited or accepted into a private HackerOne program
- Lookup: Match researcher identity to a corresponding GitHub username via a mapping table or shared email
- Action: Add the researcher's GitHub account to the designated GitHub repository or team with appropriate access level
Connectors Used: HackerOne, GitHub