Skip to main content

Bugcrowd

Bugcrowd is an application security service that assists skilled security researchers to uncover vulnerabilities. You can bring program and submission data from Bugcrowd into Brinqa to track, prioritize, and remediate risks across your applications.

This document details the information you must provide for the connector to authenticate with Bugcrowd and how to obtain that information from Bugcrowd. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select Bugcrowd from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Bugcrowd with Brinqa:

  • API URL: The Bugcrowd API URL. The default URL is https://api.bugcrowd.com.

  • Access key and Secret key: The API keys associated with the Bugcrowd account, which must have permissions to log in to the API server and return data.

Generate Bugcrowd API keys

For the Bugcrowd connector to access the Bugcrowd API, you must provide API keys. To do so, follow these steps:

  1. Log in to your organization's Bugcrowd portal as an administrator.

  2. Click the profile icon and select API Credentials from the drop-down.

  3. Provide an App name and click Create credentials.

    Your new API keys display. You cannot view the keys after this. Copy and save them to a secure location.

    Bugcrowd API keys

    info

    Paste the HTTP Basic Authentication Username into the Access key field and the HTTP Basic Authentication Password into the Secret key field of the integration configuration.

  4. Click the Default version drop-down for the corresponding application name and select Legacy. The Bugcrowd connector is designed to work with the legacy version of the Bugcrowd API.

    Bugcrowd API version

note

If you do not have the permissions to create API keys, contact your Bugcrowd administrator. For additional information, see Bugcrowd documentation.

Additional settings

The Bugcrowd connector contains an additional option for specific configuration:

  • Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.

Types of data to retrieve

The Bugcrowd connector can retrieve the following types of data from the Bugcrowd API:

Table 1: Data retrieved from Bugcrowd

Connector ObjectRequiredMaps to Data Model
ProgramNoNot mapped
SubmissionYesPentest Finding
Pentest Finding Definition
Site
info

For detailed steps on how to view the data retrieved from Bugcrowd in the Brinqa Platform, see How to view your data.

Attribute mappings

The mappings for the Submission object varies based on the submission type. For example, submissions identified as pentest findings are mapped to the Pentest Finding data model, while those related to a specific site are mapped to the Site data model. This ensures that the Bugcrowd submissions are accurately categorized in the Brinqa Platform.

Expand the section below to view the mappings between the source and the Brinqa data model attributes:

Submission

Table 2: Submission attribute mappings

Source Field NameMaps to UDMMaps to Attribute
ASSIGNEE_EMAILNot mappedLocal variable
ASSIGNEE_NAMENot mappedLocal variable
BUG_URLPentest Findingurl
BOUNTY_BRIEF_IDNot mappedLocal variable
BOUNTY_CODENot mappedLocal variable
BOUNTY_UUIDNot mappedLocal variable
CAPTIONNot mappedLocal variable
CATEGORYPentest Findingcategories
CVSS_SCOREPentest Finding DefinitionUse CVSS calculator
CVSS_VECTORPentest Finding DefinitionUse CVSS calculator
CVSS_VERSIONPentest Finding DefinitionUse CVSS calculator
DESCRIPTIONPentest Finding Definitiondescription
DUPLICATENot mappedLocal variable
DUPLICATE_OFNot mappedLocal variable
EXTRA_INFOPentest Findingresults
FILE_ATTACHMENT_COUNTNot mappedLocal variable
HTTP_REQUESTPentest Findingrequest
MONETARY_REWARDSNot mappedLocal variable
PRIORITYNot mappedLocal variable
REFERENCE_NUMBERNot mappedLocal variable
REMEDIATION_ADVICEPentest Finding Definitionrecommendation
SOURCENot mappedLocal variable
SUB_CATEGORYNot mappedcategories
SUB_STATEPentest Findingstatus, statusCategories
SUBMITTED_ATPentest FindingfirstFound
SYS_IDPentest Findinguid
TARGETPentest Finding,
Site
targets, uid, name, url
TITLEPentest Finding Definitionname
USERNot mappedLocal variable
VARIANTNot mappedLocal variable
info

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Use CVSS calculator indicates that the CVSS (Common Vulnerability Scoring System) vectors and scores aren't directly mapped to a specific attribute on the UDM. Instead, these fields may require you to use a CVSS calculator to compute the overall vulnerability score based on the CVSS vector strings provided.

Operation options

The Bugcrowd connector supports the following operation options. See connector operation options for information about how to apply them.

Table 3: Bugcrowd connector operation options

Connector ObjectOptionAll Possible ValuesDescriptionExample
Submissionduplicatetrue, falseRetrieve submissions based on their duplicate status as determined by Bugcrowd.Key: duplicate Value: false. This key and value combination only retrieves submissions that are not marked as duplicates.
note

The option keys and values are case-sensitive as they are shown in this documentation.

APIs

The Bugcrowd connector uses the Bugcrowd API. Specifically, it uses the following endpoints:

Table 4: Bugcrowd Legacy API Endpoints

Connector ObjectAPI Endpoint
ProgramGET /bounties
SubmissionGET /bounties
GET /vrt/{version_number}
GET /bounties/{bountyID}/submissions

Changelog

The Bugcrowd connector has undergone the following changes:

v3.0.0