API Changelog

Add engagement relationship to submission creation endpoint

Add authentication log endpoint

Add authorization logs endpoint

Add disclosure request endpoint

Add activities.event as includable resource to submission endpoint

Add filter by engagement to submission endpoint

Add submissions as includable resource to engagement endpoint

Release engagement resource endpoint

Add an engagement resource endpoint

Add network to target category attribute values

Add actor submission actitivy

Deleting Outgoing Webhooks

Admins can now view the API keys of their team members

Generic accept header not supported for legacy (v3) API

The current API version will now accept Generic Accept Header

Manage Team Members API Keys

Webhook integration

API code examples

Auth token must be marked legacy to use the legacy (v3) API

The legacy (v3) API will now 404 if used with a new auth token

New field and button to copy raw request body from webhook delivery page

Add visibility_scope attribute to comment

Add create comment endpoint POST /comments

Add external_issue relationship to submission

Add event based webhooks

Add filter and sort by latest activity to submission index

Add jira to submission source attribute values

Add download_url to FileAttachment

Change wont_fix to informational

Deprecate s3_signed_url on FileAttachment

Remove invited-asc and invited-desc sort options from programs index

Add maximum page offset error

Fix data type error when value is not an object

Fixed schema error for nullable fields

Fix relationship default order

Fix submission state filter when value is new

Change related submission access

Remove researcher_email from submission

Scope included targets to user program access

Introduced a variant for OAuth Accounting Squatting classified as a P4

Secure Code Warrior developed a VRT mapping to their developer training

Extended support for Automotive categorization, developed in collaboration with Stellantis.

Downgraded all Flash-based entries to a rating of P5

Improved existing remediation advice for a number of entries

Simplified Weak Login Function entries with a baseline severity rating of P4

Filtering for submissions in new state does not return any

Add transition timestamps for submission resource

Add options to programs fields parameter

Add options to programs include parameter

Add options to submissions fields parameter

Add options to submissions include parameter

Remove invalid top-level parameters

Remove additional properties from POST /claim_tickets

Remove program_groups from program

Remove reward_range from submissions fields parameter

Remove submission from targets fields parameter

Change submission relationship on POST /claim_tickets to has_many

Change error message for POST /monetary_rewards

Change order of include lists

Scope programs relationship for included organization resources

Increased expiration time of s3_signed_url attribute for file_attachments

New API

View active API keys provisioned across your team

More detailed query parameter documentation (from swagger UI to redoc)

Visibility into usage of API tokens across the team

Automative Security Misconfiguration category

Sensitive Data Exposure > Weak Password Reset Implementation > Token Leakage via Host Header Poisoning as a new P2 variant, which is consistent with how this issue has been triaged by Bugcrowd’s Application Security Engineers so far.

Two new P4’s related to 2FA Secret Management

Remediation Advice links to latest OWASP Documentation

Tokenized date search

Platform supports 100MB for all file uploads

VRT 1.6

VRT 1.5

Bugcrowd University

Customer Security Event Log

Researcher Security Event Log

VRT v1.4 is shipped

VRT v1.3 is shipped

New API docs are available.

created_at DateTime within the Comment Object

VRT gem is now open sourced