Listen to this Post
Introduction:
Modern cybersecurity programs must move beyond static reports and adopt dynamic, data-driven metrics. The HackerOne Risk over Time (RoT) and Rate of Mitigation (RoM) dashboards represent a paradigm shift, transforming raw vulnerability data into actionable intelligence for strategic decision-making. This guide provides the technical commands to operationalize these metrics and harden your security posture.
Learning Objectives:
- Understand the core components and data sources powering the RoM and RoT dashboards.
- Master the command-line and API techniques to extract, manipulate, and analyze your own vulnerability data.
- Implement automated workflows to replicate these living metrics within your internal security operations.
You Should Know:
1. Extracting Your HackerOne Data via API
To build a custom dashboard, you first need programmatic access to your findings. The HackerOne API is the primary conduit for this data.
curl -X GET "https://api.hackerone.com/v1/hackers/programs/your_program_id/reports" \ -u "your_api_username:your_api_token" \ -H "Accept: application/json" | jq '.data[] | select(.attributes.state == "new")'
Step-by-step guide: This `curl` command authenticates to the HackerOne API using Basic Auth (your API username and token) and fetches all reports for a specified program. The output is piped to jq, a powerful JSON processor, which filters the results to show only reports in a “new” state. You should replace your_program_id, your_api_username, and `your_api_token` with your actual credentials. This is the foundational step for any custom data analysis.
- Calculating Mean Time to Triage (MTTT) with Bash
The RoM dashboard heavily relies on time-based metrics. MTTT is a critical measure of your team’s responsiveness.
!/bin/bash
Calculate Mean Time to Triage (MTTT) from a JSON export of reports
jq -r '.data[] | [.id, .attributes.created_at, .attributes.triaged_at] | @tsv' reports.json | while read id created triaged; do
if [ "$triaged" != "null" ]; then
sec_diff=$(($(date -d "$triaged" +%s) - $(date -d "$created" +%s)))
echo $sec_diff
fi
done | awk '{ total += $1; count++ } END { print "Average MTTT: ", total/count/3600, "hours" }'
Step-by-step guide: This Bash script parses a downloaded JSON file of HackerOne reports (reports.json). It uses `jq` to extract the report ID, creation time, and triage time into a tab-separated format. A `while` loop processes each line: if a report has been triaged, it calculates the difference in seconds between the created and triaged timestamps. Finally, `awk` sums all the seconds and calculates the average, converting the result into hours. Run this script in a Linux/macOS terminal to get a quick MTTT metric.
3. Automating Data Export with Python and Requests
For ongoing analysis, automate the data pull using the Python `requests` library.
import requests
from requests.auth import HTTPBasicAuth
import json
import datetime
auth = HTTPBasicAuth('your_api_username', 'your_api_token')
url = 'https://api.hackerone.com/v1/hackers/programs/your_program_id/reports'
headers = {'Accept': 'application/json'}
response = requests.get(url, auth=auth, headers=headers)
data = response.json()
Save with a timestamped filename
filename = f"h1_reports_export_{datetime.datetime.now().strftime('%Y%m%d')}.json"
with open(filename, 'w') as f:
json.dump(data, f)
print(f"Data exported to {filename}")
Step-by-step guide: This Python script performs the same authentication and data retrieval as the `curl` command but is more suitable for automation. Replace the placeholder credentials and program ID. The script uses the `datetime` module to create a filename with the current date, ensuring each export is unique. You can schedule this script to run daily using `cron` (Linux) or Task Scheduler (Windows) to maintain a constant feed of fresh data for your dashboards.
4. Querying for Critical/High Severity Open Reports
Prioritization is key. This command filters your open reports to show only the most severe ones, a core concept in the RoT dashboard.
curl -s -X GET "https://api.hackerone.com/v1/hackers/programs/your_program_id/reports?filter[bash][]=new&filter[bash][]=triaged" \
-u "your_api_username:your_api_token" \
-H "Accept: application/json" | jq '.data[] | select(.attributes.severity.rating == "critical" or .attributes.severity.rating == "high") | {id: .id, title: .attributes.title, severity: .attributes.severity.rating}'
Step-by-step guide: This advanced `curl` and `jq` command introduces query parameters (?filter
[]=new&filter[bash][]=triaged</code>) to the API request. This tells the API to only return reports that are in the "new" or "triaged" state. The `jq` command then further filters this subset to include only reports with a severity rating of "critical" or "high". The output is a clean list of IDs, titles, and severities, giving you an immediate view of your most pressing risks. <h2 style="color: yellow;">5. Tracking Report State Changes for RoM</h2> The Rate of Mitigation is about the velocity of closure. Tracking state changes over time is how you calculate it. [bash] -- Example query for an internal database storing HackerOne report snapshots SELECT DATE(snapshot_date) as date, COUNT() as total_reports, SUM(CASE WHEN state = 'resolved' THEN 1 ELSE 0 END) as resolved_count, (SUM(CASE WHEN state = 'resolved' THEN 1 ELSE 0 END) 100.0 / COUNT()) as daily_rom_percentage FROM h1_report_snapshots WHERE snapshot_date > NOW() - INTERVAL '30 days' GROUP BY DATE(snapshot_date) ORDER BY date;
Step-by-step guide: This SQL query assumes you are storing daily snapshots of your HackerOne report data in a relational database (e.g., PostgreSQL). It calculates a daily RoM by grouping snapshots by date and then counting what percentage of total reports on that day were in a "resolved" state. To implement this, you must first have an automated process (like the Python script above) that populates a database table (h1_report_snapshots) with the state of every report every day.
- Visualizing Risk Over Time with a Simple Plot
Raw numbers are less effective than trends. Command-line tools can generate simple visualizations.
First, create a CSV file 'risk_data.csv' with columns: date,open_count date,open_count 2023-10-01,15 2023-10-02,12 2023-10-03,17 gnuplot -persist <<-EOF set terminal dumb Use 'dumb' for terminal text, or 'png' for an image file set title "Open Reports Over Time (Risk over Time)" set xdata time set timefmt "%Y-%m-%d" set format x "%m-%d" set xlabel "Date" set ylabel "Open Reports" plot 'risk_data.csv' using 1:2 with linespoints title "RoT" EOF
Step-by-step guide: This command uses gnuplot, a powerful open-source plotting program, to create a graph from a CSV file. The CSV file must be pre-populated with dates and the count of open reports on those dates (data you can derive from your daily snapshots). The `set terminal dumb` option will render the graph directly in your terminal using ASCII characters, which is a quick way to see a trend. For a formal dashboard, you would use `set terminal png` and output to an image file.
7. Hardening Your API Authentication
When building automation, securing your credentials is paramount. Never hardcode them in scripts.
On Linux/macOS, store credentials in your shell keychain or use environment variables. Add to ~/.bash_profile or ~/.zshrc: export H1_USER='your_api_username' export H1_TOKEN='your_api_token' Then your curl command becomes more secure: curl -u "$H1_USER:$H1_TOKEN" ...
Step-by-step guide: This best practice involves moving your sensitive API credentials out of your scripts and into environment variables. On Linux/macOS, you can define these variables in your shell's profile script. Your scripts can then access them via `os.environ['H1_USER']` in Python or `$H1_USER` in Bash. This prevents accidentally leaking credentials if you share your code. For production systems, use a dedicated secrets management tool.
What Undercode Say:
- Data is the New Gold, Context is the Pickaxe: The raw number of bugs is a vanity metric. The true value, as shown by RoM and RoT, lies in contextualizing that data with time, severity, and business impact. A single critical bug open for a month is a far greater risk than ten low-severity bugs closed in a day.
- Automation is Non-Negotiable: Manually calculating these metrics in spreadsheets is unsustainable and error-prone. The provided commands demonstrate that the path to a "living metric" is paved with APIs, scripting, and automated data pipelines. Security teams must invest in these engineering skills to keep pace.
Analysis: HackerOne's dashboard move signals a maturation of the bug bounty ecosystem. It's no longer sufficient to simply have a program; organizations must now demonstrate efficiency and effectiveness in managing the resulting firehose of vulnerability data. These dashboards shift the conversation from "How many bugs did we get?" to "How well are we managing our risk?" This forces a more strategic allocation of resources, aligning security efforts directly with business risk reduction. The technical barrier to replicating this analysis internally is moderate but necessary for any mature AppSec program.
Prediction:
The introduction of standardized, high-level metrics like RoM will create a bifurcation in the market. Top-tier organizations will leverage this data to optimize their programs, dramatically reducing their "risk debt" and showcasing their security maturity to customers and regulators. Conversely, organizations that fail to adopt this data-driven approach will find themselves at a severe competitive disadvantage, facing higher insurance premiums, more stringent contractual requirements, and an inability to quickly assess their true security posture during incidents. This will cement data analytics as a core competency for cybersecurity leadership.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Victor Kausch - Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
