Bugcrowd integration is an optional feature turned off by default You can enable Bugcrowd integration, or HackerOne integration, but not both
- Bugcrowd is an outsourced security platform and managed Bug Bounty service
- Domain Protect automatically creates findings as known issues in Bugcrowd using the Bugcrowd API
- if a researcher submits a similar finding after Domain Protect, their submission can be marked as a Duplicate
- reduces payouts to Bug Bounty researchers
- to avoid duplicate issues, only your production environment will be integrated with Bugcrowd
- by default this will be the
prdTerraform workspace - if you have chosen a different Terraform workspace name for production, update Terraform variable:
production_environment = "prd"
- Bugcrowd issues are only created for vulnerability types which don't support automated takeover
- create a service account, e.g. [email protected] and add as an administrator of your Bugcrowd team
- log in to Bugcrowd as the service account user
- create an API token following Bugcrowd instructions
- select API version
2021-10-28 - set Terraform variables in your CI/CD pipeline or tfvars file, e.g.
bugcrowd = "enabled"
bugcrowd_api_key = "xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx"
bugcrowd_email = "[email protected]"
- apply Terraform
- Create a custom emoji in Slack using the Bugcrowd image
- Name the emoji
:bugcrowd:
You still need to do the following tasks manually using the Bugcrowd console:
- mark issues submitted by researchers as duplicates
- only do this if the Domain Protect issue was submitted first
- link to the Domain Protect issue as the duplicate reference
- after vulnerability is fixed, change status to
resolved