Import vulnerability reports from other tools and sources
Company-wise and even application-wise, there is not one unique source of vulnerability reports.
Bug Bounty is one of them, but certainly not the only one.
Whether it’s a pentest, a scanner output, an audit or ethical vulnerability disclosure, the important thing is to be able to collect, analyze and correct vulnerability reports in an efficient and reliable way.
It is possible to use YesWeHack for this purpose, when relevant and necessary, you have the ability to import vulnerability reports from any source.
How it works?
Reports Import feature is available from any Bug Bounty program’s management panel.
From this interface, you can import new report(s), consult the history of imports on the program, their status and error logs when failed.
In order for your reports from other sources to be put in YesWeHack report format, you will be able to define which column of your import corresponds to which field of the report, thanks to a dedicated data mapping function.
<– On the left, the fields that will be provisioned in YesWeHack report(s).
–> On the right, the columns from your import file.
The imported reports will then be attached to the program and accessible from the ‘Reports’ menu, with the exact same layout, features and workflow than any other Bug Bounty report (e.g. statuses, integration with bug trackers, priorities, scoring, etc.)
Some fields and inputs are a bit peculiar, this is why you will find a dedicated user guide detailing data formats and specific use cases, along with a .csv template.
Now that we have covered the basics of this functionality, you can see that the use cases can be plural, e.g.
- Import (open) reports coming from a previous program into a new one, not to loose track of it and manage eventual duplicates.
- Import vulnerability reports coming from different sources (pentest, audit, scanners, VDP, …) to monitor/process them along with bug bounty reports and easily set your priorities.
Let’s focus on one example:
- A researcher has reported a vulnerability to a given company through its Vulnerability Disclosure Policy or security mailbox.
- This company has a private Bug Bounty program on YesWeHack and would like to reward this hunter and further collaborate with him on the remediation, in a secured and structured manner.
Company’s program managers can import the report and set researcher’s email address in the ‘Hunter email’ field.
When the report is created it automatically generates a claim request to said researcher.
Once the report claimed by the invited hunter, he/she could access the report and further interact with the company even if he’s not invited to the program.
From here, as per any Bug Bounty report, the company can:
- Ask for more information to the hunter
- Ask for a fix verification
- Reward with a bounty
- Reward with quality points
Need help with your use-case? you can obtain more support by contacting firstname.lastname@example.org