Submitting a Vulnerability Using Embedded Form

Researchers can easily submit vulnerability reports within our Customer’s websites and apps to Bugcrowd without signing into Bugcrowd. An example of this embedded form is available at https://www.bugcrowd.com/hackme-external-form/.

Hack Me program is setup for testing Bugcrowd functionality from a researcher perspective. If you submit vulnerabilities using the Hack Me embedded form, it will not be reviewed or triaged. To submit actual vulnerabilities found on Bugcrowd, submit them to the Bugcrowd program and not the HackMe form.

In the form, provide the vulnerability details such as technical severity, detailed description, vulnerability location, trace/HTTP dump, and any other additional information. You can provide your email address to receive updates for the reported vulnerability and a claim ticket. Later, you can use this claim ticket to log in to Bugcrowd to receive the reward for your submission.

Reporting Vulnerability

To report a vulnerability on an external form found in the wild:

  1. Fill in the form with the relevant information.

    report-details

    Field Sub Field Details
    Info   Provide a summary about the vulnerability.
    Technical severity   Select the vulnerability type. Based on Bugcrowd’s Vulnerability Rating Taxonomy (VRT), a baseline technical severity rating is assigned.
    Vulnerability details URL/Location of vulnerability Provide the URL or location of the vulnerability.
      Description Provide detailed description about the vulnerability. It can include information such as security impact, replication steps, proof of concept, or any other details.
      Trace dump/HTTP request Specify the trace dump or HTTP request.
      Any additional information Provide additional information that is relevant to the submitted vulnerability.
    Attachments   Click Add Attachments and upload images or videos related to the vulnerability. For example, demo of the replication steps, proof-of-concept scripts, screenshots, or any other relevant images or videos. You can attach multiple files (up to five). Each file size must be less than 100MB.
    Email   Provide your email address for receiving an email that allows you to claim the submission on .
    You can provide an email ID that is already registered with Bugcrowd or provide any other email ID.    
    Confirmation   Select I agree to the Bugcrowd terms & conditions as well as any additional rules and instructions provided by the organization hosting this program option.
  2. Click Report Vulnerability.

    The Your submission has been received message is displayed along with the submission ID. Also, you will receive an email for claiming your submission.

Receiving Email Notifications

You will receive notification emails from Bugcrowd that informs you about the submission changes until you claim your submission. When a submission is updated, transitioned (status change), or commented, you will receive a notification email from Bugcrowd.

The following image shows a notification email that you will receive when a submission is transitioned to Triaged state.

email

The following image shows a notification email that you will receive when the submission details are updated.

notification

If you do not want to receive notifications, click unsubscribe. For more information, see unsubscribing from submissions.

Claiming Your Submission

To receive the reward for the submitted vulnerability, perform the following to claim your submission:

  1. In the email you have received, click Claim the submission.

    claim-submission

    The Log in to Bugcrowd page is displayed.

  2. If you already have a Bugcrowd account, then use that email ID, associated password, and click Log in.

    login

    If you do not have a Bugcrowd account, then click create an account. For information about creating an account, see becoming a researcher.

    The Claim your reward page is displayed. Also, the Signed in successfully message is displayed.

  3. Click Claim.

    claim

    The Successfully claimed message is displayed and you are redirected to the Payments tab.

    Claim with a different account: if you want to use another account to claim your reward. The Log in to Bugcrowd page is displayed. If you already have an account with Bugcrowd, use the same email ID and password. Else, create an account and then log in. For information about creating an account, see becoming a researcher.

Unsubscribing from Submissions

You can unsubscribe from submissions so that you will no longer receive any correspondence or updates.

To unsubscribe from a submission:

  1. In the email that you have received for claiming your submission, click unsubscribe.

    unsubscribe

    The Unsubscribe from submission page is displayed.

  2. Select any of the following reasons:

    • This submission was not submitted by me
    • I have no interest in engaging with this submission
    • Other: Provide any other reason

    reason

  3. Click Unsubscribe.

    click-unsubscribe

    When you unsubscribe from a submission, an activity is added on the submission and includes the unsubscribe reason.