The Embedded Submission Form integration enables you to host a submission form from your own website rather than through Bugcrowd. This integration provides a streamlined workflow so that researchers can easily submit vulnerability reports directly to you, while allowing you to continue to manage and track submissions through Crowdcontrol.
With Embedded Submission Forms, researchers do not need to sign into or sign up for Bugcrowd. Instead, they can provide their email address and receive a claim ticket, which they can later use to log into or create an account for Bugcrowd to receive credit for their submission. Embedding a submission form on your website will allow anyone to responsibly disclose a vulnerability found in your application.
NOTICE: Preset Fields
The Embedded Submission Form is an embeddable HTML script with preset form fields. Fields may not be adjusted to fit a custom form fill other than the option to include or exclude the Target field.
Here are some key benefits to using embedded submission forms:
- You can accept vulnerability reports from any researcher, whether they have a Bugcrowd account or not.
- You can promote security best practices by enabling your partners, employees, and customers to report bugs and vulnerabilities.
- You can manage and track submissions through Crowdcontrol for private and public programs.
- No additional configuration is needed. The submission form pulls all the fields from your program's settings.
The Embedded Submission Form has preset fields is nearly identical to the vulnerability submission form for programs hosted on Bugcrowd's website, with exception to a few subtle nuances such as the Target field. The Target field is optional – to learn more click here.
The Embedded Submission Form includes the following fields:
A brief note or header that best identifies what the vulnerability is about.
Drop-down field the researcher can use to identify the target affected. Selections only include in-scope targets.
Based on Bugcrowd's Vulnerability Rating Taxonomy (VRT), researchers use this drop-down field to identify the type of vulnerability found which is then given a baseline technical severity rating.
Includes subfields for descriptive and clear details about the vulnerability found.
URL / Location of vulnerability
Enter the URL or location of the vulnerability found.
Comprehensive information about the vulnerability such as "what is the vulnerability?", "what is the security impact?", "replication steps", "proof of concept", etc.
Trace dump/HTTP request
Trace dump or HTTP request is entered in here.
Researchers enter any additional information or data relevant to the vulnerability submitted.
Images or videos can be uploaded to help clarify and demonstrate replication steps.
An optional field for researcher to fill out. Entering their email will trigger an automated email that will allow the researcher to claim the submission.
Embedded submission forms currently work with the following browsers:
- Internet Explorer 11
To set up the Embedded Submission Form integration, you’ll need to be an organization owner or program admin, and complete the following:
- Embed the Embedded Submission Form code provided by Bugcrowd into a page on your website.
- Whitelist your site domain so that the form can appear on your website.
- Enable the targets option if you want to display a list of in-scope targets on the form.
- Enable the Embedded Submission Form integration.
- Receive Vulnerabilities.
- Go to the "Settings" page of your program.
- Go the "Integrations" tab and click the Add Integration button for Embedded Submission Form.
- Copy the embed code.
- Add it to the body of your web page.
- Load the web page to view the form; you'll see a notification that the integration has not been enabled.
It is necessary for you to whitelist your site domain to prevent others from hosting your submission form elsewhere. This can be done directly from the configuration page.
- From the "Whitelisted Domains" section of the configuration page, click "Add Whitelist Entry."
- Enter the domain you want to whitelist. You can enter a fully qualified domain name or use an asterisk (*) as a wildcard.
If you hosting the embedded form on a non-https page, you have to include the scheme (
http://) on the whitelist
Target selection allows researchers to select from a list of targets that are within a program's scope. By default, target selection is turned off. If you are running a public program, you may want to turn this option on to make this information available to researchers.
To enable target selection on the submission form, turn the "Targets" option on.
Program must be enabled
The Embedded Submission Form must be set live before you can start receiving submissions. Please contact firstname.lastname@example.org to turn it on.
Now that you've embedded the form and enabled the integration, others will be able to go to the webpage to submit vulnerabilities via the embedded form. As vulnerabilities are submitted, they will appear in Crowdcontrol for you to review.