Jira Integration
HackerOne offers a bi-directional Jira integration that syncs information between your HackerOne report and the Jira issue. You can choose to integrate with Jira Cloud or Jira Server. This means that Jira users can sync specific workflows from Jira to HackerOne and vice versa, from HackerOne to Jira. This integration helps your development and security teams stay aligned, and contributes to a better workflow to process security vulnerabilities as it minimizes the back and forth between Jira and HackerOne.
Creating a Jira issue
You can create new Jira issues for reports you receive on HackerOne.
To create a new Jira issue from your HackerOne report:
- Go to the HackerOne report in your inbox that you want to create a new Jira issue for.
- Click Edit next to References.
- Click Create Jira issue.
- Select the project that you want the issue to link to in the dropdown. Note: This option occurs only if you have multiple projects to select from. If you only have 1 project, the issue will automatically escalate to that project.
- Click on the Jira ID to access the report in Jira.
- Add comments or change the state of the report in Jira.
When you perform an action on the Jira report such as adding a comment or changing the status of the report, Hackbot will generate an internal comment on the HackerOne report to reflect the changes.
Linking HackerOne Reports to Existing Jira Tasks
You can link your HackerOne reports to existing Jira tasks.
To link your reports:
- Go to the HackerOne report in your inbox that you want to link to Jira.
- Click Edit next to References.
- Enter the Jira ticket reference ID in the Link Jira ticket field.
- Click Link Jira issue.
The HackerOne report will now be linked to the Jira task, and all activities that are performed on the report will be synced to the corresponding task.
There's also another way you can link your HackerOne reports to Jira. You can:
- Go to the bottom of your HackerOne report.
- Select Change state > Triaged in the action picker.
- Enter the Jira ticket number in the Enter Jira ticket # field.
- Click Link Jira issue.
Syncing updates from HackerOne to Jira
With the Jira integration you can sync these report updates to Jira:
- Report Comments
- State changes
- Rewards
- Assignee changes
- Public disclosure
All updates on a report are synced as a comment to Jira. Additionally, all actions are configureable and can be toggled from the Jira integration settings page.
If you've configured your own custom fields, you can use them in the Jira integration. All custom fields automatically appear as available variables that you can use to set up the field mapping between HackerOne and Jira.
Syncing updates from Jira to HackerOne
To make sure your security team stays up to date with the changes that happen in Jira, you can sync back activities from Jira to the HackerOne report. All updates from Jira will be reflected in HackerOne as an internal comment on the associated report.
We currently support these activities from Jira to HackerOne:
- Comments
- State changes
- Resolution changes
- Assignee changes
- Priority changes
You can choose which events you want to synchronize from Jira as each of the activities can be toggled individually.
Automatically resolving a HackerOne report
You can set your integration to automatically close a HackerOne report as Resolved when a Jira issue closes. This enables the hacker to be notified right away when the Jira issue that's linked to the report is closed. In the Select Jira to HackerOne events section of the integration setup, select the Jira issue status that will trigger the closure of the HackerOne report.
HackerOne Severity to Jira Priority Mapping
You can map HackerOne severity ratings to the Jira priority fields when configuring your integration. This enables the right priority to be set when escalating a report to Jira.
Installing the Jira integration
You can choose to integrate from 2 different types of Jira integrations:
| Option | Details |
|---|---|
| Jira Cloud | You can access Jira from anywhere in the world. |
| Jira Server | Jira is self-hosted and can be behind a firewall or VPN. |