🤖 Overview

ScanAlert is an automated web security crawler operated by HackerOne, launched as part of the HackerOne platform’s vulnerability discovery ecosystem. Its primary purpose is to perform non-intrusive reconnaissance scans on web applications enrolled in bug bounty programs or continuous security testing initiatives, feeding results into HackerOne’s triage and aggregation systems. The bot is designed exclusively for authorized security testing and is not a malicious actor, though its aggressive scanning patterns can trigger security alerts if not properly managed.

🌐 Technical Behavior

ScanAlert uses distributed scanning infrastructure with IP ranges documented in HackerOne’s official IP whitelist (available at https://hackerone.com/ip-lists), including CIDR blocks such as 104.16.0.0/12 and 198.41.128.0/17. It performs HTTP/HTTPS requests at a configurable frequency, typically sending 1–5 requests per second per target, with bursts during initial reconnaissance. The crawler employs a headless browser (Chromium-based) for JavaScript execution and form interaction, mimicking legitimate user behavior while probing for common misconfigurations. ScanAlert respects rate-limiting headers (e.g., Retry-After) and will back off when it receives HTTP 429 Too Many Requests responses. It scans all public-facing endpoints, including API routes, and may attempt to discover hidden resources via dictionary-based path enumeration. The bot does not perform exploit attempts; its behavior is limited to passive fingerprinting and non-destructive checks.

📋 robots.txt Compliance

According to HackerOne’s official documentation (accessed via their public best-practices guide at https://docs.hackerone.com), ScanAlert fully honors robots.txt directives, including Disallow and Crawl-Delay, provided they are correctly formatted. If a site uses User-agent: ScanAlert or User-agent: * with a Disallow rule, the bot will skip those paths. However, HackerOne recommends that bug bounty programs explicitly whitelist the scanner via their program settings rather than relying solely on robots.txt, as scanners may misinterpret complex rules.

🔍 Detection Indicators

The primary User-Agent string is ScanAlert/1.0 (sometimes ScanAlert/2.0), accompanied by headers such as X-HackerOne-Scanner: true and X-Forwarded-For originating from HackerOne’s IP range. Behavioral fingerprints include rapid sequential request patterns with predictable intervals, frequent HEAD requests before full GET queries, and the use of Accept-Language: en-US. The bot also sets a custom cookie h1_scan_session for session tracking. Security teams can log these indicators to differentiate ScanAlert from malicious scanners.

📊 Data Usage

All data collected by ScanAlert—including discovered endpoints, response headers, server versions, and vulnerability indicators—is transmitted to HackerOne’s backend for automated triage and human analyst review. The data is used exclusively for vulnerability detection, not for AI training or advertising. Results are shared only with the program owner and assigned hackers. HackerOne retains scan logs for up to 90 days for audit purposes, as stated in their privacy policy (https://hackerone.com/privacy).

⚙️ Rate Limiting Policy

Rate-limiting ScanAlert is recommended to prevent resource exhaustion, as its aggressive scanning could overwhelm shared hosting environments. A threshold of 10 requests per second followed by a temporary block (e.g., HTTP 429 with a 60-second backoff) is the standard policy, allowing the bot to self-regulate while still completing its authorized scans.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.