Labsco
bitwarden logo

auditing-hackerone-vulns

โ˜… 121

by bitwarden ยท part of bitwarden/ai-plugins

Audit all open HackerOne-sourced VULN Jira tickets and their linked engineering child items to identify what needs action. Use this skill whenever the user wants to: check VULN ticket status, see which HackerOne findings need status updates, identify vulnerabilities ready to verify or close, run a remediation audit, check "what do I need to do on my VULN tickets today", or get a prioritized view of open vulnerabilities. Outputs a sorted action table with emoji tokens. Always use this skill for H

๐Ÿงฉ One of 7 skills in the bitwarden/ai-plugins package โ€” works on its own, and pairs well with its siblings.

This is the playbook your agent receives when the skill activates โ€” you don't need to read it to use the skill, but it's here to audit before installing.

Action tokens (sorted order in output)

TokenLabelWhen it applies
๐Ÿ”ดUpdate VULN StatusChild item has progressed (In Progress/Review) but VULN is still at a lower status
๐ŸŸกMark RemediatedChild item is Done โ€” set Remediation Date to merged PR date and move VULN to Remediated
๐ŸŸขVerify & CloseFix is in a release that has already shipped โ€” verify in prod, add Confirmation Date, close HackerOne
๐Ÿ”ตMonitorWork is actively in progress or in a pending release; no action needed yet
โšชWaitingChild item exists but hasn't started
โž–No Child ItemVULN is Ready for Resolution but no engineering ticket linked yet

Step 1 โ€” Query open VULN issues

Use search_issues with this JQL:

project = VULN AND status not in (Done, Verified) AND "Source" = "HackerOne" ORDER BY priority DESC, updated DESC

Request fields: summary, status, description, priority, created, updated

Paginate if needed (default max 50; use nextPageToken to get all).


Step 2 โ€” Find child engineering items for each VULN

For each VULN key, run:

issue in linkedIssues("VULN-XXX")

Request fields: summary, status, fixVersions, project

  • A VULN may have multiple child items. Collect them all.
  • Ignore items in the same VULN project (those are sibling VULNs, not engineering tickets).
  • Child items with [VULN] in the summary are the primary engineering tracking items.
  • Some VULNs (especially fresh "Ready for Resolution") may have no child items yet โ†’ token โž–.

Step 3 โ€” Classify child item statuses

Map Jira statuses to these categories:

CategoryExample statuses
Not StartedTo Do, Backlog, Open, New, In Analysis
In ProgressIn Progress, In Development, In Review, Code Review, In Testing
DoneDone, Closed, Resolved, Completed
AbandonedAbandoned, Won't Fix, Duplicate, Canceled

For VULNs with multiple children: the highest-priority active child drives the action token. "In Progress" outranks "Not Started"; "Done" only counts if all non-abandoned children are Done.


Step 4 โ€” Search GitHub for PRs linked to child items

JSON parsing rule โ€” Always use gh's built-in --jq flag or standalone jq for JSON parsing. Never pipe to python3 or any other interpreter โ€” Python is not in this skill's allowed-tools and will trigger a permission prompt. If stderr suppression is needed, place 2>/dev/null after the full gh api ... --jq '...' command, not before:

# Correct โ€” 2>/dev/null after --jq, before the next pipe
gh api --method GET "repos/bitwarden/REPO/compare/A...B?per_page=250" \
  --jq '.commits[] | .commit.message | split("\n")[0]' 2>/dev/null \
  | grep "#PR_NUMBER"

PR search โ€” Use gh search prs to find PRs. If that fails, fallback to the GitHub API with gh api --method GET "search/"

gh api --method GET "search/issues?q=CHILD-KEY+type:pr+org:bitwarden&per_page=10" \
  --jq '.items[] | {number,title,state,mergedAt,url:.html_url}'

For each PR that appears to be the correct fix (match on title/ticket key), get accurate merge details:

gh pr view PR_URL --json state,mergedAt,mergeCommit,baseRefName,title

Determining release inclusion โ€” Bitwarden's repos (server, clients) use release branches with cherry-picks. The merge commit SHA on main gets a new SHA when cherry-picked, so compare/TAG...COMMIT_SHA always returns "diverged" and is unreliable. Do not use it.

The correct method is to compare consecutive release tags and search for the PR number in commit messages (cherry-picks preserve the original PR number):

# 1. List non-draft, non-prerelease tags for the relevant repo
gh release list --repo bitwarden/REPO --limit 20 \
  --json tagName,publishedAt,isDraft,isPrerelease \
  | jq '.[] | select(.isDraft == false and .isPrerelease == false)'

# 2. Find the two consecutive tags that bracket the expected fix release
#    (e.g., v2026.4.0 and v2026.4.1)

# 3. List all commits in that range and grep for the PR number
gh api --method GET "repos/bitwarden/REPO/compare/TAG_PREV...TAG_RELEASE?per_page=250" \
  --jq '.commits[] | .commit.message | split("\n")[0]' \
  | grep "#PR_NUMBER"
  • If the PR number is found โ†’ the fix is in that release โœ…
  • If the PR number is NOT found โ†’ the fix missed the RC cut and is NOT in that release โŒ

clients monorepo note: The bitwarden/clients repo publishes separate release tags per client type: web-vYYYY.M.P, cli-vYYYY.M.P, browser-vYYYY.M.P, desktop-vYYYY.M.P. A fix deployed in web-v2026.4.2 does not mean the browser extension has it โ€” always check the specific product's tag if the vulnerability affects a specific client.

Simple repos (e.g., sm-action) use direct pushes without cherry-picks. For those, compare/COMMIT_SHA...TAG returning "ahead" means the TAG is a descendant of the commit โ€” i.e., the commit IS in the release.

To confirm a release has been deployed to production, check the published date from gh release list. If publishedAt is in the past and the release is not draft/prerelease, it is live.


Step 5 โ€” Determine action token for each VULN

Apply this decision tree to every VULN, using the child item statuses classified in Step 3 and the PR/release data from Step 4:

VULN status "Ready for Resolution":
  โ†’ No child items linked?                                     โ†’ โž– No Child Item
  โ†’ Child item exists, status Not Started?                     โ†’ โšช Waiting
  โ†’ Child item In Progress?                                    โ†’ ๐Ÿ”ด Update VULN to In Progress
  โ†’ All child items Done?                                      โ†’ ๐ŸŸก Mark Remediated

VULN status "In Progress" or "In Review":
  โ†’ Child item(s) still In Progress?                          โ†’ ๐Ÿ”ต Monitor
  โ†’ All child items Done, PR not yet found?                   โ†’ ๐ŸŸก Mark Remediated (investigate date)
  โ†’ All child items Done, PR merged?                          โ†’ ๐ŸŸก Mark Remediated (use PR merge date)

VULN status "Remediated":
  โ†’ Cannot determine release?                                  โ†’ ๐Ÿ”ต Monitor
  โ†’ PR in an upcoming/unreleased version?                      โ†’ ๐Ÿ”ต Monitor (release pending)
  โ†’ PR in a released, deployed version?                        โ†’ ๐ŸŸข Verify & Close

The Remediation Date should be the date the fix PR was merged to the default branch.


Step 6 โ€” Format the output report

Use this template. Omit any section (including <details> blocks) that has zero items โ€” do not render empty headings or empty tables.

# ๐Ÿค– HackerOne VULN Audit โ€” {YYYY-MM-DD}

## Summary

| Token | Category                 | Count |
| ----- | ------------------------ | ----- |
| ๐Ÿ”ด    | Need Status Update       | {n}   |
| ๐ŸŸก    | Ready to Mark Remediated | {n}   |
| ๐ŸŸข    | Ready to Verify & Close  | {n}   |
| ๐Ÿ”ต    | Monitoring               | {n}   |
| โšช    | Waiting                  | {n}   |
| โž–    | Missing Child Item       | {n}   |

{2โ€“4 bullets: overall remediation health, anything overdue or stalled, patterns worth noting, any tickets with incomplete data that need manual follow-up}

## ๐Ÿ”ด Update VULN Status

| VULN            | Priority | Summary                        | HackerOne       | Child Item(s)   | Child Status | Action                   |
| --------------- | -------- | ------------------------------ | --------------- | --------------- | ------------ | ------------------------ |
| [VULN-529](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) | High     | Summary truncated to ~60 chars | [#3673748](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) | [PM-35250](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) | In Progress  | Move VULN to In Progress |

## ๐ŸŸก Mark Remediated

| VULN            | Priority | Summary                        | HackerOne       | Child Item(s)   | PR / Merged                    | Action                                        |
| --------------- | -------- | ------------------------------ | --------------- | --------------- | ------------------------------ | --------------------------------------------- |
| [VULN-529](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) | High     | Summary truncated to ~60 chars | [#3673748](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) | [PM-35250](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) | [#1234](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) merged 2026-04-30 | Set Remediated + Remediation Date: 2026-04-30 |

## ๐ŸŸข Verify & Close

| VULN            | Priority | Summary                        | HackerOne       | Child Item(s)   | PR / Release                         | Action                                                              |
| --------------- | -------- | ------------------------------ | --------------- | --------------- | ------------------------------------ | ------------------------------------------------------------------- |
| [VULN-529](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) | High     | Summary truncated to ~60 chars | [#3673748](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) | [PM-35250](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) | [#1234](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) โ†’ v2026.4.0 โœ… deployed | Verify fix in prod, add Confirmation Date, close HackerOne #3673748 |

<details>
<summary>๐Ÿ”ต Monitoring ({n} items โ€” no action needed yet)</summary>

| VULN            | Priority | Summary                        | HackerOne       | Child Item(s)   | Child Status | PR / Release                        |
| --------------- | -------- | ------------------------------ | --------------- | --------------- | ------------ | ----------------------------------- |
| [VULN-529](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) | High     | Summary truncated to ~60 chars | [#3673748](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) | [PM-35250](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) | In Progress  | [#1234](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) โ†’ v2026.9.0 โณ pending |

</details>

<details>
<summary>โšช Waiting ({n} items โ€” not yet started)</summary>

| VULN            | Priority | Summary                        | HackerOne       | Child Item(s)   | VULN Status          |
| --------------- | -------- | ------------------------------ | --------------- | --------------- | -------------------- |
| [VULN-529](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) | Medium   | Summary truncated to ~60 chars | [#3673748](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) | [PM-35250](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) | Ready for Resolution |

</details>

<details>
<summary>โž– Missing Child Item ({n} items โ€” needs engineering ticket)</summary>

| VULN            | Priority | Summary                        | HackerOne       | VULN Status          | Created    |
| --------------- | -------- | ------------------------------ | --------------- | -------------------- | ---------- |
| [VULN-529](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) | Low      | Summary truncated to ~60 chars | [#3673748](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/) | Ready for Resolution | 2026-03-15 |

</details>

Formatting notes:

  • VULN: Jira link, e.g. [VULN-529](https://bitwarden.atlassian.net/browse/VULN-529)
  • HackerOne: Report link extracted from the first line of the description, e.g. [#3673748](https://hackerone.com/reports/3673748). If not found, show unknown and flag it in the summary bullets.
  • Child Item(s): Jira link(s), e.g. [PM-35250](https://bitwarden.atlassian.net/browse/PM-35250). If multiple, list each on its own line within the cell.
  • PR / Release: e.g. [#1234](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/PR_URL) โ†’ v2026.8.0 โœ… deployed, [#1234](https://github.com/bitwarden/ai-plugins/blob/main/plugins/bitwarden-security-engineer/skills/auditing-hackerone-vulns/PR_URL) โ†’ v2026.9.0 โณ pending, or No PR found
  • Action: One-line plain-English instruction specific to the token, e.g. "Move to In Progress", "Set Remediated + Remediation Date: 2026-04-30", or "Verify fix in prod, add Confirmation Date, close HackerOne #3673748"
  • Truncate long summaries to ~60 chars

Edge cases

  • VULN with 3+ child items (e.g., one abandoned, one done, one in progress): the in-progress one drives the token. Show all children in the table.
  • Child item abandoned / Won't Fix: Skip it for status purposes. If all children are abandoned, flag the VULN with ๐Ÿ”ต and note "all child items abandoned โ€” review needed."
  • Fresh VULN with no description HackerOne URL: Extract the report URL from the first line of the description. If not found, show "HackerOne: unknown" and flag it.
  • PR search returns no results: Note "No PR found" in the table and still apply the decision tree using child item status alone.
  • Fix version "vNext-full" or similar placeholder: Treat as "unreleased" until a real version number appears.