ScopeWatch

Devlog 2026-01-18 [1]

HackerOne Scope Fetching & ZAP Automation

Today I started working on fetching program scopes directly from the HackerOne API. The goal was to automatically collect in-scope assets (especially URLs) and prepare them for further analysis.

After that, I built a small automation that feeds those URLs into OWASP ZAP, running in the background. Instead of doing heavy active scans, the idea was to keep it simple: just loading the pages through the ZAP proxy to quickly surface low-hanging fruit such as obvious misconfigurations, exposed endpoints, or basic security issues.

While testing this setup, I kind of drifted off and started manually looking for security issues on some of the targets instead of continuing with the tooling and automation part 😄. Because of that, the automation is still pretty minimal and rough around the edges.

I’ll continue tomorrow by cleaning up the code, improving the ZAP integration, and making the whole pipeline more stable and configurable.

Stay tuned.