Bugcrowd
Bugcrowd is an application security service that assists skilled security researchers to uncover vulnerabilities. You can bring program and submission data from Bugcrowd into Brinqa to track, prioritize, and remediate risks across your applications.
This document details the information you must provide for the connector to authenticate with Bugcrowd and how to obtain that information from Bugcrowd. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Bugcrowd from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Bugcrowd with Brinqa:
-
API URL: The Bugcrowd API URL. The default URL is
https://api.bugcrowd.com
. -
Access key and Secret key: The API keys associated with the Bugcrowd account, which must have permissions to log in to the API server and return data.
Generate Bugcrowd API keys
For the Bugcrowd connector to access the Bugcrowd API, you must provide API keys. To do so, follow these steps:
-
Log in to your organization's Bugcrowd portal as an administrator.
-
Click the profile icon and select API Credentials from the drop-down.
-
Provide an App name and click Create credentials.
Your new API keys display. You cannot view the keys after this. Copy and save them to a secure location.
infoPaste the HTTP Basic Authentication Username into the Access key field and the HTTP Basic Authentication Password into the Secret key field of the integration configuration.
-
Click the Default version drop-down for the corresponding application name and select Legacy. The Bugcrowd connector is designed to work with the legacy version of the Bugcrowd API.
If you do not have the permissions to create API keys, contact your Bugcrowd administrator. For additional information, see Bugcrowd documentation.
Additional settings
The Bugcrowd connector contains an additional option for specific configuration:
- Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
Types of data to retrieve
The Bugcrowd connector can retrieve the following types of data from the Bugcrowd API:
Table 1: Data retrieved from Bugcrowd
Connector Object | Required | Maps to Data Model |
---|---|---|
Program | No | Not mapped |
Submission | Yes | Pentest Finding Pentest Finding Definition Site |
For detailed steps on how to view the data retrieved from Bugcrowd in the Brinqa Platform, see How to view your data.
Attribute mappings
The mappings for the Submission
object varies based on the submission type. For example, submissions identified as pentest findings are mapped to the Pentest Finding data model, while those related to a specific site are mapped to the Site data model. This ensures that the Bugcrowd submissions are accurately categorized in the Brinqa Platform.
Expand the section below to view the mappings between the source and the Brinqa data model attributes:
Submission
Table 2: Submission attribute mappings
Source Field Name | Maps to UDM | Maps to Attribute |
---|---|---|
ASSIGNEE_EMAIL | Not mapped | Local variable |
ASSIGNEE_NAME | Not mapped | Local variable |
BUG_URL | Pentest Finding | url |
BOUNTY_BRIEF_ID | Not mapped | Local variable |
BOUNTY_CODE | Not mapped | Local variable |
BOUNTY_UUID | Not mapped | Local variable |
CAPTION | Not mapped | Local variable |
CATEGORY | Pentest Finding | categories |
CVSS_SCORE | Pentest Finding Definition | Use CVSS calculator |
CVSS_VECTOR | Pentest Finding Definition | Use CVSS calculator |
CVSS_VERSION | Pentest Finding Definition | Use CVSS calculator |
DESCRIPTION | Pentest Finding Definition | description |
DUPLICATE | Not mapped | Local variable |
DUPLICATE_OF | Not mapped | Local variable |
EXTRA_INFO | Pentest Finding | results |
FILE_ATTACHMENT_COUNT | Not mapped | Local variable |
HTTP_REQUEST | Pentest Finding | request |
MONETARY_REWARDS | Not mapped | Local variable |
PRIORITY | Not mapped | Local variable |
REFERENCE_NUMBER | Not mapped | Local variable |
REMEDIATION_ADVICE | Pentest Finding Definition | recommendation |
SOURCE | Not mapped | Local variable |
SUB_CATEGORY | Not mapped | categories |
SUB_STATE | Pentest Finding | status, statusCategories |
SUBMITTED_AT | Pentest Finding | firstFound |
SYS_ID | Pentest Finding | uid |
TARGET | Pentest Finding, Site | targets, uid, name, url |
TITLE | Pentest Finding Definition | name |
USER | Not mapped | Local variable |
VARIANT | Not mapped | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Use CVSS calculator indicates that the CVSS (Common Vulnerability Scoring System) vectors and scores aren't directly mapped to a specific attribute on the UDM. Instead, these fields may require you to use a CVSS calculator to compute the overall vulnerability score based on the CVSS vector strings provided.
Operation options
The Bugcrowd connector supports the following operation options. See connector operation options for information about how to apply them.
Table 3: Bugcrowd connector operation options
Connector Object | Option | All Possible Values | Description | Example |
---|---|---|---|---|
Submission | duplicate | true, false | Retrieve submissions based on their duplicate status as determined by Bugcrowd. | Key: duplicate Value: false . This key and value combination only retrieves submissions that are not marked as duplicates. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The Bugcrowd connector uses the Bugcrowd API. Specifically, it uses the following endpoints:
Table 4: Bugcrowd Legacy API Endpoints
Connector Object | API Endpoint |
---|---|
Program | GET /bounties |
Submission | GET /bounties GET /vrt/{version_number} GET /bounties/{bountyID}/submissions |
Changelog
The Bugcrowd connector has undergone the following changes:
v3.0.0
- Initial Integration+ release.