API Changelog

Semantic versioning system (X.Y.Z)

API Support Policy and Maintenance Mode

Clear Deprecation Strategy

Predictable Release Cadence

Consolidation of date-based versions into V1

API format and structure improvements

Simplified serializers

Performance optimization through reduced queries

Add submission_activities index endpoint

Add submission_comments index endpoint

Remove pagination offset limit

Add access_invitation create endpoint

Add access_invitation delete endpoint

Add access_invitations index endpoint

Add member_role update endpoint

Add multiple assignees support to submission endpoints

Add organization_member delete endpoint

Add organization_member fetch endpoint

Add organization_members index endpoint

Add program_role create endpoint

Add program_role delete endpoint

Add program_roles index endpoint

Add team create endpoint

Add team delete endpoint

Add team fetch endpoint

Add team_member fetch endpoint

Add team_member fetch endpoint

Add team_members index endpoint

Add team_role create endpoint

Add team_role delete endpoint

Add teams index endpoint

Add engagement relationship to submission creation endpoint

Add authentication log endpoint

Add authorization logs endpoint

Add disclosure request endpoint

Add activities.event as includable resource to submission endpoint

Add filter by engagement to submission endpoint

Add submissions as includable resource to engagement endpoint

Release engagement resource endpoint

Deleting Outgoing Webhooks

Admins can now view the API keys of their team members

Generic accept header not supported for legacy (v3) API

The current API version will now accept Generic Accept Header

Manage Team Members API Keys

Webhook integration

API code examples

Auth token must be marked legacy to use the legacy (v3) API

The legacy (v3) API will now 404 if used with a new auth token

New field and button to copy raw request body from webhook delivery page

Introduced a variant for OAuth Accounting Squatting classified as a P4

Secure Code Warrior developed a VRT mapping to their developer training

Extended support for Automotive categorization, developed in collaboration with Stellantis.

Downgraded all Flash-based entries to a rating of P5

Improved existing remediation advice for a number of entries

Simplified Weak Login Function entries with a baseline severity rating of P4

Filtering for submissions in new state does not return any

Increased expiration time of s3_signed_url attribute for file_attachments

New API

View active API keys provisioned across your team

More detailed query parameter documentation (from swagger UI to redoc)

Visibility into usage of API tokens across the team

Automative Security Misconfiguration category

Sensitive Data Exposure > Weak Password Reset Implementation > Token Leakage via Host Header Poisoning as a new P2 variant, which is consistent with how this issue has been triaged by Bugcrowd’s Application Security Engineers so far.

Two new P4’s related to 2FA Secret Management

Remediation Advice links to latest OWASP Documentation

Tokenized date search

Platform supports 100MB for all file uploads

VRT 1.6

VRT 1.5

Bugcrowd University

Customer Security Event Log

Researcher Security Event Log

VRT v1.4 is shipped

VRT v1.3 is shipped

New API docs are available.

created_at DateTime within the Comment Object

VRT gem is now open sourced