For security teams, finding and remediating vulnerabilities is part of a broader workflow that extends across the DevOps life cycle. For that reason, an end-to-end integration library that includes pre-built connectors, webhooks, and a rich, easy to use API is an important feature in the Bugcrowd Platform.
In 2020, we released Bugcrowd API v4 to help customers more easily prioritize, track, and remediate vulnerabilities by building their own integrations with existing internal processes. API v4 contains many features that make it even more useful than before (and harder to justify staying on v3), including:
- Version management, upgrades, and testing: With API v4, customers can manage versioning themselves, allowing testing and deployment of new features and rollbacks when needed. If you’re on an older release version, the ability to painlessly adopt new functionality on your own schedule is reason enough to move to v4!
- Implementation of the OpenAPI spec: OpenAPI provides an easy-to-follow set of expected behaviors for our API. Together with our documentation, it gives customers lots of flexibility in how their internal systems interact with our platform programmatically. For example, implementations of OpenAPI like API v4 can automatically generate documentation and API clients in most programming languages.
- Richer functionality: API v4 contains numerous enhancements (see API Changelog for docs) that make integrations with external systems richer and more productive, including:
- Event-based webhooks: Receiving event-based notifications is now possible with webhooks, enabling bi-directional integrations with Bugcrowd. For example, using the submission.updated webhook, you can get notifications of updates to a submission and see the change for each field.
- Transition timestamps: We’ve added last_transitioned_to_STATE_at timestamps for all states to the submission resource. This lets you determine when a submission was transitioned, how long it remained in a particular state, and how quickly it’s moving through its life cycle.
- Informative errors: Instead of allowing any parameter for any endpoint as in the v3 API, unused top-level parameters now return a 400 error.
- Better connections to pre-built integrations (e.g., JIRA, GitHub, ServiceNow): We’ve added the external_issues relationship to the submission resource, allowing you to extend existing integrations in various ways.
Bugcrowd API in Action
One Bugcrowd customer uses the Bugcrowd API in a clever way: When a researcher submits a vulnerability against any of their targets, their system receives a programmatic notification of the submission being created. The system then collects metadata relating to the target in question from its various sources, and posts that data back to the submission as a comment for relevant stakeholders. As a result, everyone has access to all the context and information they need about a vulnerability submission and its status.
For migrating to API v4, use the instructions here. (Note: API v3 will be on maintenance, with no further enhancements, going forward.) We’re here for you if you need help; if it seems like there is something you used to do in v3 that is no longer possible in v4, please contact us via firstname.lastname@example.org right away.