|
| 1 | +# Downloading Reports |
| 2 | + |
| 3 | +The `bbscope reports` command downloads your vulnerability reports from bug bounty platforms as Markdown files. |
| 4 | + |
| 5 | +## HackerOne |
| 6 | + |
| 7 | +```bash |
| 8 | +# Download all your reports |
| 9 | +bbscope reports h1 --output-dir ./reports |
| 10 | + |
| 11 | +# Preview what would be downloaded (dry-run) |
| 12 | +bbscope reports h1 --output-dir ./reports --dry-run |
| 13 | + |
| 14 | +# Filter by program |
| 15 | +bbscope reports h1 --output-dir ./reports --program google --program microsoft |
| 16 | + |
| 17 | +# Filter by state (e.g., resolved, triaged, new, duplicate, informative, not-applicable, spam) |
| 18 | +bbscope reports h1 --output-dir ./reports --state resolved --state triaged |
| 19 | + |
| 20 | +# Filter by severity |
| 21 | +bbscope reports h1 --output-dir ./reports --severity critical --severity high |
| 22 | + |
| 23 | +# Combine filters |
| 24 | +bbscope reports h1 --output-dir ./reports --program google --state resolved --severity critical |
| 25 | + |
| 26 | +# Overwrite existing files |
| 27 | +bbscope reports h1 --output-dir ./reports --overwrite |
| 28 | +``` |
| 29 | + |
| 30 | +### Authentication |
| 31 | + |
| 32 | +Credentials can be provided via CLI flags or config file: |
| 33 | + |
| 34 | +```bash |
| 35 | +# CLI flags |
| 36 | +bbscope reports h1 --user your_username --token your_api_token --output-dir ./reports |
| 37 | +``` |
| 38 | + |
| 39 | +```yaml |
| 40 | +# ~/.bbscope.yaml |
| 41 | +hackerone: |
| 42 | + username: "your_username" |
| 43 | + token: "your_api_token" |
| 44 | +``` |
| 45 | +
|
| 46 | +### Output structure |
| 47 | +
|
| 48 | +Reports are saved as Markdown files organized by program: |
| 49 | +
|
| 50 | +``` |
| 51 | +reports/ |
| 52 | +└── h1/ |
| 53 | + ├── google/ |
| 54 | + │ ├── 123456_XSS_in_login_page.md |
| 55 | + │ └── 123457_IDOR_in_user_profile.md |
| 56 | + └── microsoft/ |
| 57 | + └── 234567_SSRF_in_webhook_handler.md |
| 58 | +``` |
| 59 | + |
| 60 | +Each file contains a metadata table (ID, program, state, severity, weakness, asset, bounty, CVE IDs, timestamps) followed by the vulnerability information and impact sections. |
| 61 | + |
| 62 | +### Dry-run output |
| 63 | + |
| 64 | +The `--dry-run` flag prints a table of matching reports without downloading: |
| 65 | + |
| 66 | +``` |
| 67 | +ID PROGRAM STATE SEVERITY CREATED TITLE |
| 68 | +123456 google resolved high 2024-01-15T10:30:00.000Z XSS in login page |
| 69 | +123457 google triaged critical 2024-02-20T14:00:00.000Z IDOR in user profile |
| 70 | +``` |
| 71 | + |
| 72 | +## Flags |
| 73 | + |
| 74 | +| Flag | Short | Description | |
| 75 | +|------|-------|-------------| |
| 76 | +| `--output-dir` | | Output directory for downloaded reports (required) | |
| 77 | +| `--program` | | Filter by program handle(s) | |
| 78 | +| `--state` | | Filter by report state(s) | |
| 79 | +| `--severity` | | Filter by severity level(s) | |
| 80 | +| `--dry-run` | | List reports without downloading | |
| 81 | +| `--overwrite` | | Overwrite existing report files | |
| 82 | + |
| 83 | +## How it works |
| 84 | + |
| 85 | +1. **List phase**: fetches all report summaries from the HackerOne API (`/v1/hackers/me/reports`), paginated at 100 per page. Filters are applied server-side using Lucene query syntax. |
| 86 | +2. **Download phase**: 10 parallel workers fetch full report details (`/v1/hackers/reports/{id}`) and write them as Markdown files. |
| 87 | +3. **Skip logic**: existing files are skipped unless `--overwrite` is set. |
| 88 | +4. **Rate limiting**: HTTP 429 responses trigger a 60-second backoff. Other transient errors are retried up to 3 times with a 2-second delay. |
| 89 | + |
| 90 | +> **Note**: The HackerOne Hacker API may not return draft reports or reports where you are a collaborator but not the primary reporter. If your downloaded count is lower than your dashboard total, this is likely the cause. |
0 commit comments