BugCrowd Connector

Caleb Eckenwiler

August 30, 2021 23:59

Bugcrowd is a crowdsourced security platform, and is used by organizations for 24/7 Bug Bounty programs and white-hat Vulnerability Disclosure.

To import your internal BugCrowd findings to Kenna, please use the Kenna Security BugCrowd Connector.

User Prerequisites/Connector Setup:

The BugCrowd Connector does not need a Kenna Virtual Tunnel or Kenna Agent.
The User must have API Access to the BugCrowd API.
The User must have access to the items you wish to import to Kenna.

Configuring your Connector in Kenna

To set up the Connector, navigate to the Connectors tab in your Kenna deployment (you must be a Kenna Administrator to do so). On the Connectors page, select the Bugcrowd connector at the top of the page under the “Bug Bounties” section.

Once you select the Bugcrowd connector the following screen will appear:

Enter a name for the connector, or leave it as “Bugcrowd."
Enter the Username and Password for the user account with the API key and access you need.
- As of November 2021, Bugcrowd requires the use of a 'Legacy' API token to access v3. See: New token deprecation warning for the legacy (v3) API
- To ensure Kenna has continued access to this data, be sure to choose "Legacy" type when generating your token. See: https://docs.bugcrowd.com/api/getting-started/
Schedule the connector and select the run frequency.
Click "Save and Verify."
If you’d like to set a connector level asset inactivity limit, you can do that at this time. For Bug Bounty connectors we recommend a longer Asset Inactivity Limit, as these items are ingested / seen less often than a typical VM/AppSec vulnerability.

What Bugcrowd Items does Kenna Import and what API Calls are involved?

Kenna will import all of the findings associated with the user account leveraged. We will pull all of the recognized Submissions from BugCrowd.

Fields in BugCrowd	Fields in Kenna	Notes
target_name*	Application identifier	Search for application_identifer in Kenna by using the custom query box and typing application:""
submissions > Bug_url	URL	Search for url in Kenna by using the custom query box and typing url:""
state (is_open)	Vulnerability Status
reference_number	scanner_id
priority	scanner_score	1-5
vrt_lineage	unique_identifier on the vulnerability page
Description	Description
Extra Information	Details
remediation_advice + vulnerability_references	Diagnosis in Fixes / or scanner_vulnerability in vulnerability

*Important: Target Name may appear as “Unset BugCrowd Target”

The Kenna Connector does not pull in the following:

Amount Paid
Comments
Custom Fields
Unfamiliar vrt_records that cannot be logically mapped
- This information will not fail the connector, but this record will not be included in the successful run.

The API endpoints we leverage are:

https://api.bugcrowd.com
…/submissions/#{bounty_uuid}
/bounties/#{bounty_uuid}/submissions
Please note we are currently using the v3 API for BugCrowd at this time.

Optional Settings

The following settings can be enabled on the backend for Bugcrowd Connectors. To have these settings enabled, or for more information, please contact Support, or your Customer Success Engineer.

Exclude Informationals
- When this option is enabled, Kenna will not import vulnerabilities that do not include a CVE, CWE, or WASC ID.
Ignore Scanner Last Seen Time
- This can be enabled for customers who do not want the asset last seen time in Kenna to be the scanner reported last seen time.
Custom Ordered Locators
- Locators (IP, Netbios, FQDN, etc) can be reordered to better deduplicate vulnerabilities on the connector level or the entire Platform level. For more information see the help article here.

Common Reasons for BugCrowd Connector Run Failures

Bad credentials
No reports are found, Kenna will abort
Failed API calls
Inability to process unexpected data/format
If more than 1% of connector payloads fail, Kenna will auto-fail the Connector Run.

Additional Assistance:

Please contact Kenna Support should you require any additional assistance with the Bugcrowd Connector(s).