· Jimmy Ly · Tools  · 2 min read

Introducing the HackerOne Reports Dashboard

We built a dashboard that aggregates over 14,000 publicly disclosed HackerOne bug bounty reports with POC detection, searchable filters, and weekly auto-updates.

Bug bounty programmes are one of the best sources of real-world vulnerability data. HackerOne alone has thousands of publicly disclosed reports covering everything from XSS to critical account takeovers, but there’s no easy way to search, filter, and analyse them in one place.

We built reports.fortisec.co.uk to fix that.

What It Does

The dashboard aggregates over 14,000 publicly disclosed HackerOne reports into a single, searchable interface. At a glance you get:

  • Total disclosed reports, bounties paid, average and top bounty: key stats from the entire dataset.
  • Top vulnerability types and programmes: bar charts showing which bug classes and programmes appear most often.
  • Full report table: searchable by title, programme, or vulnerability type, with sort by upvotes or bounty.
  • POC detection: reports containing a Proof of Concept or Steps to Reproduce are flagged with a POC badge, and you can filter to show only those.

How It Works

The pipeline is straightforward:

  1. Fetch: Report metadata is pulled from HackerOne’s public Hacktivity feed.
  2. Scrape: Each report’s full body (the researcher’s writeup) is fetched from HackerOne’s JSON API and stored in a local SQLite database.
  3. Analyse: Report bodies are scanned for POC indicators using keyword matching. An optional LLM pass can be added for more nuanced classification.
  4. Build: A static site is generated from the data and deployed to Cloudflare Pages.
  5. Repeat: A GitHub Actions workflow runs weekly to pick up new disclosures.

Everything is incremental. The initial scrape of 14,000+ reports takes a few hours, but subsequent runs only fetch new reports, typically a few minutes.

POC Detection

Not every disclosed report includes reproduction steps. Some are high-level descriptions, while others contain full exploit code. We flag reports as having a POC when the body contains patterns like:

  • Steps to Reproduce
  • Proof of Concept
  • ## POC
  • Reproduction steps or exploit instructions

This keyword-based approach catches the majority of cases. For finer-grained classification, the pipeline supports sending ambiguous reports to an LLM (OpenAI or Anthropic) for a second pass.

Tech Stack

  • Python: single CLI script (h1dash.py) handles fetch, scrape, analyse, and build.
  • SQLite: stores scraped report bodies, severity, CVEs, summaries, and POC flags.
  • Vanilla JS: no frameworks, no build step. The frontend is a static HTML/CSS/JS site.
  • Cloudflare Pages: hosting with a custom domain.
  • GitHub Actions: weekly CI pipeline to fetch new data, scrape, analyse, build, and deploy.

Check it out at reports.fortisec.co.uk.

Share:
Back to Blog

Related Posts

View All Posts »
Integer Overflow in Bullet3 STL Mesh Parser

Integer Overflow in Bullet3 STL Mesh Parser

We found an integer overflow in Bullet3's STL mesh loader where a crafted triangle count bypasses the sanity check, causing the parser to read 4 GB from an 88-byte heap buffer.