Account & Compliance

Exporting Your Account Data

How to request, download, and understand a full export of your account data for compliance or portability — including a complete breakdown of VDP/CSIRT data categories.

Why It Matters

Data portability is both a legal right and a practical need. GDPR Article 20 and CCPA grant your team the right to receive a complete copy of your account data in a machine-readable format. Beyond compliance, data exports are useful for backups, audits, and migrating to other tools.

Kit provides a one-click data export that packages everything — records, files, and attachments — into a single downloadable ZIP archive.

Who Can Request an Export

Only account administrators can request data exports. This protects sensitive hiring data, candidate information, and billing records from unauthorized access.

Non-admin team members will not see the Data Export option in account settings.

How to Request an Export

Navigate to Account Settings in the sidebar
Click Data Export
Click Request Data Export
Watch the progress bar as each data category is processed
Once complete, click Download to get your ZIP archive

The export runs in the background — you can navigate away and come back later. You’ll also receive an email when it’s ready.

What’s Included

The export contains ~60 data categories covering your entire account:

Category	What’s Included
Core	Account details, team members, invitations, settings
Hiring	Job postings, candidates, applications, stages, submissions, reviews, notes, interviews, offers, rejections
Communication	AI chat history, SMS messages, email records, Slack messages
Integrations	GitHub, Slack, Google Calendar, Google Meet connection metadata
Scheduling	Availability schedules, calendar sources, meeting records
Vulnerability Disclosure	17+ data categories — programs, reports, assessments, messages, bounties, disbursements, researchers, and more. See full breakdown below.
Billing	Customer records, subscriptions, charge history
Other	Ideas, webhooks, webhook delivery logs

Attachments

All uploaded files are included in an attachments/ directory within the ZIP:

Candidate resumes and portfolios
Code assignment submissions
File-based stage submissions
Any other uploaded documents

Vulnerability Disclosure (VDP)

If your account has the VDP module enabled, the export includes a complete snapshot of your program’s history. This is the full-fidelity data export — every field, every record, in structured JSON — suitable for migration, legal hold, or long-term backup.

JSON File	What It Contains
`csirt_programs.json`	Program configuration — name, slug, scope config, SLA targets, bounty matrix, portal config, activation date
`csirt_reports.json`	All submitted reports — title, description, severity, status, CVSS vector, vulnerability type, submission timestamp, screening flags
`csirt_status_transitions.json`	Complete status history for every report — who transitioned it, when, and from which status
`csirt_assessments.json`	Severity assessments — CVSS vector, computed score, severity tier, notes, assessor
`csirt_assignments.json`	Report assignment history — assignee, assigner, timestamp
`csirt_dismissals.json`	Dismissal records — reason code, notes, dismisser, timestamp
`csirt_appeals.json`	Appeal records — grounds, outcome, reviewer, timestamp
`csirt_agreements.json`	Researcher safe harbor agreement acceptances — version, accepted_at
`csirt_messages.json`	Full message threads — both researcher-facing and internal staff notes, with sender and timestamp
`csirt_message_templates.json`	Custom message templates for researcher communication
`csirt_bounty_awards.json`	Approved bounty amounts, currencies, and notes
`csirt_disbursements.json`	Disbursement records — status, method, amount (transaction references redacted)
`csirt_ledger_entries.json`	Complete financial audit trail — entry type, amount, actor, timestamp
`csirt_researchers.json`	Researcher profiles — handle, email, reputation tier, karma score, report counts (payout info redacted)
`csirt_karma_events.json`	Karma change events — reason, delta, associated report
`csirt_ai_screenings.json`	AI screening results — confidence score, flags detected, recommendation, reasoning
`csirt_spam_records.json`	Spam classification records
`csirt_hall_of_fame_entries.json`	Hall of Fame opt-in records — researcher, featured status, opt-in timestamp

Redacted VDP fields (replaced with [REDACTED]):

researcher.payout_info — Bank account details, routing numbers, account holder names
researcher.tax_id — Tax identification numbers from W-9/W-8BEN documents
disbursement.transaction_reference — External payment processor transaction IDs

Excluded from VDP export entirely:

csirt_researcher_events — IP addresses, user agents, and browser fingerprints logged during researcher portal sessions. These are an internal audit trail, not your data to export.

What’s Excluded or Redacted (all categories)

For security and compliance, certain data is handled specially across the entire export:

Treatment	Examples
Redacted (replaced with `[REDACTED]`)	OAuth tokens, API keys, signing secrets, refresh tokens, magic link tokens, researcher payout info, disbursement transaction references, researcher tax IDs
Excluded entirely	Payment methods (PCI compliance), encrypted passwords, OTP secrets, researcher event logs (IP/user-agent audit trail)

Two Types of VDP Exports

Kit provides two distinct export mechanisms for VDP data. They serve different purposes — understanding the difference prevents confusion at audit time.

	Account Data Export (this page)	SOC 2 VDP Export (Metrics and Exports)
Purpose	Data portability, backup, migration	Auditor evidence, compliance reporting
Format	JSON (full fidelity, every field)	CSV or PDF (formatted for auditors)
Scope	Complete program history, all 17+ data types	Filtered by date range, status, severity
Access	Account Settings → Data Export	VDP → Exports
Requires add-on	No — available on all plans	Yes — VDP Add-on ($49/mo)
Best for	Migrating to HackerOne, legal hold, full backup	Quarterly SOC 2 CC4/CC7 evidence folders

If your goal is to hand evidence to an auditor, use the SOC 2 VDP Export. If your goal is to move your data, keep a backup, or migrate to another platform, use the Account Data Export described on this page.

Archive Format

The ZIP archive contains:

manifest.json — Metadata about the export (account info, record counts, timestamp)
One JSON file per data category — e.g., hiring_candidates.json, csirt_reports.json
attachments/ — Uploaded files organized by category and record ID

JSON was chosen because it’s universally readable, preserves data structure (including nested fields), and is supported by every programming language and data tool.

Download Window

Archives are available for 7 days after completion
Download links expire after 1 hour — refresh the page to get a new link
After 7 days, the archive is automatically deleted from storage
The export record itself is retained for audit purposes

Limits

One export at a time — You cannot start a new export while one is in progress
Processing time — Depends on account size; most accounts complete within a few minutes
File size — Varies with the number of attachments; the record count and file size are shown after completion

If an Export Fails

Occasionally an export may fail due to a temporary issue. When this happens:

The failure reason is displayed on the export card
You’ll receive an email notification
Simply request a new export — the previous failed export doesn’t block you

Quick Checklist

You are an account administrator
No other export is currently in progress
You have access to the email address on your account (for the ready notification)
You’ll download the archive within 7 days of completion
If migrating VDP data, verify researcher payout info was captured separately before export (it is redacted in the archive)
If you need auditor-formatted evidence rather than a full backup, use VDP > Exports instead