Bugcrowd Blog

Cut Through The Noise; The Value of a Disclosure Program

Posted by Travis Andrade on Sep 27, 2017 10:00:00 AM

In talking with our customers, and particularly larger customers, we often hear of the need to establish an open, public, and passive channel for vulnerability disclosure from their users, customers, and the broader security community. These customers aren’t always ready for a public bug bounty but they may already have an existing security@ email address. They often have an existing security page and want the ability to accept disclosures directly from their website.

We advise these customers to establish a public Bugcrowd disclosure program. Our platform, Crowdcontrol™, allows customers to easily accept vulnerability disclosures from researchers around the world and harness the power of the Bugcrowd community. Setting up and communicating a disclosure program helps users understand that you’re willing and able to fix vulnerabilities in your software. Our platform and security team operationalize the disclosure process—ensuring customer quickly fix issues that present an actual risk to their software and infrastructure.

New Platform Update - Embedded Submission Form

Today we are excited to announce the Bugcrowd Embedded Submission Form!

The Embedded Submission Form allows customers to capture vulnerability submissions from anyone on their public website, while continuing to harness the power of Bugcrowd’s vulnerability triage and validation services. This feature streamlines the process for organizations to launch their own disclosure program by hosting it directly on their website. In combination with the email and in-platform channels, this makes Crowdcontrol the most flexible and powerful offering for public vulnerability disclosure programs.

Utilizing the Embedded Submission Form is as simple as dropping a javascript snippet on your security page. When viewed, researchers will see a simple form and be able to easily submit vulnerability reports. Crowdcontrol’s advanced “claim ticket” process allows researchers to submit—even anonymously—and claim the submission later, should customers require more information. In utilizing this new feature, organizations will be able to leverage the power of Bugcrowd’s platform and managed experience to manage incoming vulnerability reports.

How it works

1. Copy the External Submission Form Script provided by Bugcrowd.

Screen Shot 2017-09-27 at 8.52.03 AM.png

2. Embed the External Submission Form code into a page on your website.

Screen Shot 2017-09-27 at 8.53.23 AM.png

3. Whitelist your site domain so that the form can appear on your website.

Screen Shot 2017-09-27 at 8.54.21 AM.png

4. Contact Bugcrowd to enable your form.

5. Share and receive vulnerabilities.

Take a look at what the External Submission Form looks like when embedded on a website here.

For further detail on the new external submission form, visit our documentation and see our one-pager. If you have any thoughts, ideas, or questions, we’d love to hear from you at support@bugcrowd.com or @Bugcrowd.

Product Updates
Travis Andrade

Written by Travis Andrade