Welcome to Bugcrowd's Product Documentation Center

You'll find comprehensive guides and documentation to help you start working with Bugcrowd as quickly as possible.

Embedded Submission Form

The Embedded Submission Form integration enables you to host a submission form from your own website rather than through Bugcrowd. This integration provides a streamlined workflow so that researchers can easily submit vulnerability reports directly to you, while allowing you to continue to manage and track submissions through Crowdcontrol.

With Embedded Submission Forms, researchers do not need to sign into or sign up for Bugcrowd. Instead, they can provide their email address and receive a claim ticket, which they can later use to log into or create an account for Bugcrowd to receive credit for their submission. Embedding a submission form on your website will allow anyone to responsibly disclose a vulnerability found in your application.

NOTICE: Preset Fields

The Embedded Submission Form is an embeddable HTML script with preset form fields. Fields may not be adjusted to fit a custom form fill other than the option to include or exclude the Target field.

Key Benefits for Embedded Submission Forms

Here are some key benefits to using embedded submission forms:

  • You can accept vulnerability reports from any researcher, whether they have a Bugcrowd account or not.
  • You can promote security best practices by enabling your partners, employees, and customers to report bugs and vulnerabilities.
  • You can manage and track submissions through Crowdcontrol for private and public programs.
  • No additional configuration is needed. The submission form pulls all the fields from your program's settings.

Embedded Submission Form Fields

The Embedded Submission Form has preset fields is nearly identical to the vulnerability submission form for programs hosted on Bugcrowd's website, with exception to a few subtle nuances such as the Target field. The Target field is optional – to learn more click here.

The Embedded Submission Form includes the following fields:

Field
Subfield
Details

Info

A brief note or header that best identifies what the vulnerability is about.

Target [Optional]

Drop-down field the researcher can use to identify the target affected. Selections only include in-scope targets.

Technical Severity

Based on Bugcrowd's Vulnerability Rating Taxonomy (VRT), researchers use this drop-down field to identify the type of vulnerability found which is then given a baseline technical severity rating.

Vulnerability Details

Includes subfields for descriptive and clear details about the vulnerability found.

URL / Location of vulnerability

Enter the URL or location of the vulnerability found.

Description

Comprehensive information about the vulnerability such as "what is the vulnerability?", "what is the security impact?", "replication steps", "proof of concept", etc.

Trace dump/HTTP request

Trace dump or HTTP request is entered in here.

Additional information

Researchers enter any additional information or data relevant to the vulnerability submitted.

Attachment

Images or videos can be uploaded to help clarify and demonstrate replication steps.

Researcher Email

An optional field for researcher to fill out. Entering their email will trigger an automated email that will allow the researcher to claim the submission.

Supported Browsers

Embedded submission forms currently work with the following browsers:

  • Safari
  • Firefox
  • Edge
  • Chrome
  • Internet Explorer 11

Setting Up the Embedded Submission Form Integration

To set up the Embedded Submission Form integration, you’ll need to be an organization owner or program admin, and complete the following:

  1. Embed the Embedded Submission Form code provided by Bugcrowd into a page on your website.
  2. Whitelist your site domain so that the form can appear on your website.
  3. Enable the targets option if you want to display a list of in-scope targets on the form.
  4. Enable the Embedded Submission Form integration.
  5. Receive Vulnerabilities.

Step 1: Embedding the Embedded Submission Form

  1. Go to the "Settings" page of your program.
  1. Go the "Integrations" tab and click the Add Integration button for Embedded Submission Form.
  1. Copy the embed code.
  1. Add it to the body of your web page.
  1. Load the web page to view the form; you'll see a notification that the integration has not been enabled.

Step 2: Whitelisting Domains

It is necessary for you to whitelist your site domain to prevent others from hosting your submission form elsewhere. This can be done directly from the configuration page.

  1. From the "Whitelisted Domains" section of the configuration page, click "Add Whitelist Entry."
  1. Enter the domain you want to whitelist. You can enter a fully qualified domain name or use an asterisk (*) as a wildcard.

Non-HTTPS site

If you hosting the embedded form on a non-https page, you have to include the scheme (http://) on the whitelist

Step 3: Enabling Target Selection

Target selection allows researchers to select from a list of targets that are within a program's scope. By default, target selection is turned off. If you are running a public program, you may want to turn this option on to make this information available to researchers.

To enable target selection on the submission form, turn the "Targets" option on.

Step 4: Enabling the Integration

Program must be enabled

The Embedded Submission Form must be set live before you can start receiving submissions. Please contact support@bugcrowd.com to turn it on.

Step 5: Receive Submissions

Now that you've embedded the form and enabled the integration, others will be able to go to the webpage to submit vulnerabilities via the embedded form. As vulnerabilities are submitted, they will appear in Crowdcontrol for you to review.

Embedded Submission Form


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.