
Bugcrowd
Application Security- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The Bugcrowd connector integrates with the Bugcrowd crowdsourced security platform using the Bugcrowd API v1 (JSON:API 1.1.0). It synchronizes programs, pentest findings (submissions), pentest finding definitions (sourced from the Bugcrowd Vulnerability Rating Taxonomy), and the web-application sites those findings were reported against.
The connector reads paginated JSON:API responses and resolves related data from each response's
included[] array (program, target, researcher, assignees, CVSS vector, monetary rewards, etc.).
Category: Application Security
Data retrieved from Bugcrowd
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Program | Yes | Assessment |
| Pentest Finding | Yes | Pentest Finding |
| Pentest Finding Definition | Yes | Pentest Finding Definition |
| Site | Yes | Site |
Model relationships
For detailed steps on how to view the data retrieved from Bugcrowd in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Bugcrowd from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API URL | Yes | https://api.bugcrowd.com | Bugcrowd API URL |
| Access key | Yes | — | Bugcrowd API access key |
| Secret key | Yes | — | Bugcrowd API secret key |
| Page size | No | 100 | Maximum number of records to get per API request |
| Max retries | No | 5 | Maximum number of retry attempts before giving up a request |
Authentication
Authentication uses Bugcrowd's API token scheme: the access key and secret key are combined and sent on every request.
Endpoint (connection test)
| Method | URL |
|---|---|
GET | https://api.bugcrowd.com/programs?page[limit]=1 |
Request Headers
| Header | Value |
|---|---|
Authorization | Token {accessKey}:{secretKey} |
Accept | application/vnd.bugcrowd+json |
Usage
All requests carry the Authorization and Accept headers above. A 401/403 response from the
test endpoint is surfaced as a non-retryable authentication failure.
How to obtain Bugcrowd credentials
Generate Bugcrowd API keys
For the Bugcrowd connector to access the Bugcrowd API, you must provide API keys. To do so, follow these steps:
-
Log in to your organization's Bugcrowd portal as an administrator.
-
Click the profile icon and select API Credentials from the dropdown.
-
Provide an App name and click Create credentials.
Your new API keys display. You cannot view the keys after this. Copy and save them to a secure location.

Info: Paste the HTTP Basic Authentication Username into the Access key field and the HTTP Basic Authentication Password into the Secret key field of the integration configuration.
-
In the Current credentials table, click the Default version dropdown for the corresponding application name and select Version 1.1.0. The Bugcrowd connector works with version 1.1.0 of the Bugcrowd API.

Note: If you do not have the permissions to create API keys, contact your Bugcrowd administrator. For additional information, see Bugcrowd documentation.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Program
| Source Field Name | SDM Attribute |
|---|---|
engagement.cancellation_reason | CANCELLATION_REASON |
engagement.code | ENGAGEMENT_CODE |
engagement.created_at | ENGAGEMENT_CREATED_AT |
engagement.ends_at | LAST_STOPPED |
engagement.engagement_type.name | ENGAGEMENT_TYPE / PROGRAM_TYPE |
engagement.expected_completed_at | EXPECTED_COMPLETED_AT |
engagement.last_transition_at | LAST_TRANSITION_AT |
engagement.paused_reason | PAUSED_REASON |
engagement.starts_at | LAST_STARTED |
engagement.state | STATUS / ENGAGEMENT_STATE |
engagement.updated_at | ENGAGEMENT_UPDATED_AT |
engagement_brief.additional_information | ADDITIONAL_INFORMATION |
engagement_brief.collaboration_enabled | COLLABORATION_ENABLED |
engagement_brief.coordinated_disclosure | COORDINATED_DISCLOSURE |
engagement_brief.crowdstream_visible | CROWDSTREAM_VISIBLE |
engagement_brief.description | DESCRIPTION |
engagement_brief.name | BRIEF_NAME |
engagement_brief.safe_harbor_status | SAFE_HARBOR_STATUS |
engagement_brief.share_known_issues | SHARE_KNOWN_ISSUES |
engagement_brief.tagline | TAG_LINE |
engagement_brief.targets_overview | TARGETS_OVERVIEW |
included organization.attributes.name | ORG_NAME |
program.attributes.code | CODE |
program.attributes.name | NAME |
ProgramResource.id | UID |
relationships.organization.data.id | ORG_ID |
| sync timestamp | LAST_CAPTURED |
Pentest Finding
| Source Field Name | SDM Attribute |
|---|---|
| duplicate_of relationship id | DUPLICATE_OF |
| engagement relationship id | ENGAGEMENT_ID |
included assignee email (list) | ASSIGNEE_EMAIL |
included assignee name (list) | ASSIGNEE_NAME |
| included cvss_vector authorization_scope | CVSS_SCOPE |
| included cvss_vector fields | CVSS_V2_* / CVSS_V3_* |
| included cvss_vector v4 fields | CVSS_V4_* |
| included cvss_vector version | CVSS_VERSION |
included monetary reward formatted_amount (list) | MONETARY_REWARDS |
| included program code | BOUNTY_CODE |
| included program name | PROGRAM_NAME |
| included researcher email | RESEARCHER_EMAIL |
| included researcher name | USER |
| included researcher staff | RESEARCHER_STAFF |
| included target category | CATEGORIES |
| included target name | TARGET_NAME |
| last_activity_feed_item_created_at | LAST_ACTIVITY_AT |
| last_transitioned_to_informational_at | INFORMATIONAL_AT |
| last_transitioned_to_not_applicable_at | NOT_APPLICABLE_AT |
| last_transitioned_to_not_reproducible_at | NOT_REPRODUCIBLE_AT |
| last_transitioned_to_out_of_scope_at | OUT_OF_SCOPE_AT |
| last_transitioned_to_resolved_at | RESOLVED_AT |
| last_transitioned_to_triaged_at | TRIAGED_AT |
| last_transitioned_to_unresolved_at | UNRESOLVED_AT |
| normalized from state | SOURCE_STATUS |
| program relationship id | BOUNTY_UUID |
| program relationship id | ASSESSMENT |
submission.attributes.bug_url | URL |
submission.attributes.description | DESCRIPTION |
submission.attributes.duplicate | DUPLICATE |
submission.attributes.extra_info | RESULTS |
submission.attributes.http_request | REQUEST |
submission.attributes.remediation_advice | RECOMMENDATION |
submission.attributes.severity | PRIORITY |
submission.attributes.source | SOURCE |
submission.attributes.state | PROVIDER_STATUS |
submission.attributes.submitted_at | FIRST_FOUND |
submission.attributes.title | NAME |
submission.attributes.vrt_id | TYPE |
submission.attributes.vrt_version | VRT_VERSION |
submission.attributes.vulnerability_references | VULNERABILITY_REFERENCES |
SubmissionResource.id | UID |
| sync timestamp | LAST_CAPTURED |
| target name + bug_url | TARGETS |
Pentest Finding Definition
| Source Field Name | SDM Attribute |
|---|---|
| category / sub-category / variant names | CATEGORIES |
| category::sub-category::variant | NAME |
constant | TAGS |
| deprecation note | DESCRIPTION |
| derived from normalized severity | SEVERITY_SCORE |
| normalized from SOURCE_SEVERITY | SEVERITY |
| severity label from VRT priority | SOURCE_SEVERITY |
| sync timestamp | LAST_CAPTURED |
| VRT category name | CATEGORY |
| VRT sub-category name | SUB_CATEGORY |
| VRT variant name | VARIANT |
| vrt_id | UID |
Site
| Source Field Name | SDM Attribute |
|---|---|
| bug_url | NAME |
| bug_url | URL |
default | STATUS |
submission.attributes.bug_url | UID |
| sync timestamp | LAST_CAPTURED |
target.category | CATEGORIES |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Program
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /programs
Pentest Finding
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /submissions - Default filters:
filter[last_activity_feed_item_created_at]=from.{since}(applied only on delta syncs when a sync token is present)
Pentest Finding Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (static file download; derived model) · Endpoint:
VRT taxonomy and deprecated-node mapping fetched from
Site
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
GET /submissions - Default filters:
filter[last_activity_feed_item_created_at]=from.{since}(applied only on delta syncs when a sync token is present)
Changelog
The Bugcrowd connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.1.0 | New Features - Updated to Bugcrowd's current API. The connector now runs on Bugcrowd's latest supported API, replacing the older version that has been retired. This keeps the integration working and brings in richer detail across the board. - More complete program information. Programs now include organization and engagement details — such as program type, status, safe-harbor coverage, and key dates. - More complete finding information. Findings now include the researcher and assignees, reward amounts, duplicate links, CVSS scoring, and important activity dates. - Clearer vulnerability classification. Every finding is matched to Bugcrowd's official Vulnerability Rating Taxonomy, giving it a category, sub-category, and severity. - Older findings are classified correctly. Findings reported under outdated vulnerability types are automatically mapped to their current equivalent, so they're no longer left unclassified. Types Bugcrowd has retired into its general "Other" group are labeled as such. - Faster incremental syncs. After the first full sync, the connector pulls only the findings (and their sites) that have changed since the last run, instead of re-fetching everything each time. Improvements - Consistent statuses. Every Bugcrowd finding status maps to a standard status, so nothing shows up as uncategorized. - Trustworthy severity. Severity comes directly from Bugcrowd's taxonomy and is applied consistently across related findings. - Readable dates. Activity and engagement dates now display as proper dates. Bug Fixes - Dates that previously showed as raw numbers now display correctly. | • Re-sync the Bugcrowd connector after upgrading. Status, severity, and several date fields changed, Programs are now represented as Assessments, and Pentest Findings now link to their Program — so existing Program, Pentest Finding, and Pentest Finding Definition records should be refreshed. |
| 3.0.1 | Improvements - Connector-sourced attribute values now take precedence over non-connector data channels (manual edits, bulk imports, UI input) when the platform consolidates records, so Bugcrowd data is no longer overridden by lower-priority sources. - Attribute values are now written through the platform's shared, type-validating attribute helper, so values are validated against the declared schema type at write time. Bug Fixes - Corrected the Pentest Finding "First found" and Program "Last started" / "Last stopped" attributes to be stored as proper timestamps (were stored as numbers). - Corrected the Pentest Finding CVSS v2 / v3 "Base score" attributes to be stored as numbers (were text), matching the values returned by the Bugcrowd API. | • Pentest Finding and Program: the date attributes and CVSS base-score attributes listed above changed data type. Re-sync the Bugcrowd connector to repopulate these records. |
| 3.0.0 | Overview The Bugcrowd connector integrates with the Bugcrowd crowdsourced security platform to synchronize pentest findings, the underlying vulnerability taxonomy, affected sites, and bug bounty programs. Category: Application Security Models | N/A |