BugCrowd Connector

Bugcrowd is a crowdsourced security platform, and is used by organizations for 24/7 Bug Bounty programs and white-hat Vulnerability Disclosure.

To import your internal BugCrowd findings to Cisco Vulnerability Management, please use the Cisco Vulnerability Management Security BugCrowd Connector.

User Prerequisites/Connector Setup:

• The BugCrowd Connector does not need a Kenna Virtual Tunnel or Kenna Agent.

• The User must have API Access to the BugCrowd API.

• The User must have access to the items you wish to import to Cisco Vulnerability Management.

Configuring your Connector in Cisco Vulnerability Management

To set up the Connector, navigate to the Connectors tab in your Cisco Vulnerability Management deployment (you must be a Cisco Vulnerability Management Administrator to do so). On the Connectors page, select the Bugcrowd connector at the top of the page under the “Bug Bounties” section.

Once you select the Bugcrowd connector the following screen will appear:

• Enter a name for the connector, or leave it as “Bugcrowd."

• Enter the Username and Password for the user account with the API key and access you need.

  • As of November 2021, Bugcrowd requires the use of a 'Legacy' API token to access v3. See: New token deprecation warning for the legacy (v3) API
  • To ensure Cisco Vulnerability Management has continued access to this data, be sure to choose "Legacy" type when generating your token. See: https://docs.bugcrowd.com/api/getting-started/

• Schedule the connector and select the run frequency.

• Click "Save and Verify."

• If you’d like to set a connector level asset inactivity limit, you can do that at this time. For Bug Bounty connectors we recommend a longer Asset Inactivity Limit, as these items are ingested / seen less often than a typical VM/AppSec vulnerability.

What Bugcrowd Items does Cisco Vulnerability Management Import and what API Calls are involved?

Cisco Vulnerability Management will import all of the findings associated with the user account leveraged. We will pull all of the recognized Submissions from BugCrowd.

*Important: Target Name may appear as “Unset BugCrowd Target”

The Connector does not pull in the following:

• Amount Paid

• Comments

• Custom Fields

• Unfamiliar vrt_records that cannot be logically mapped

  • This information will not fail the connector, but this record will not be included in the successful run.

The API endpoints we leverage are:

•  https://api.bugcrowd.com

• …/submissions/#{bounty_uuid}

• /bounties/#{bounty_uuid}/submissions

• Please note we are currently using the v3 API for BugCrowd at this time.

Optional Settings

The following settings can be enabled on the backend for Bugcrowd Connectors. To have these settings enabled, or for more information, please contact Support, or your Customer Success Engineer.

• Exclude Informationals

  • When this option is enabled, Cisco Vulnerability Management will not import vulnerabilities that do not include a CVE, CWE, or WASC ID.

• Ignore Scanner Last Seen Time

  • This can be enabled for customers who do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.

• Custom Ordered Locators

  • Locators (IP, Netbios, FQDN, etc) can be reordered to better deduplicate vulnerabilities on the connector level or the entire Platform level. For more information see the help article here.

Common Reasons for BugCrowd Connector Run Failures

• Bad credentials

• No reports are found, Cisco Vulnerability Management will abort

• Failed API calls

• Inability to process unexpected data/format

• If more than 1% of connector payloads fail, Cisco Vulnerability Management will auto-fail the Connector Run.

Additional Assistance:

Please contact Support should you require any additional assistance with the Bugcrowd Connector(s).