Integration with Bug Trackers

Seamlessly synchronize your YesWeHack reports with your internal Bug Tracking tool(s)

With our Bug Tracking features and tools, you can integrate vulnerability reports in your internal Bug Tracker.
And if you want to take it further, we also support 2-way synchronization, where all actions would reflect on both sides of the tracking/remediation workflow (YesWeHack <-> Bug Tracker). 

It is extremely simple to setup and only requires some configuration - no developments needed! 

This feature enables you to better manage your vulnerability remediation workflow and seamlessly integrate with your existing processes and tools.

Currently, we support integration with :

  • GitHub
  • Gitlab
  • Jira on-prem and Jira cloud
  • Servicenow

Once the integration set-up is completed, how does it look like?

Let's say that you are running a Bug Bounty program  and want to sync vulnerability reports and issues in your Bug Tracker (e.g. Jira) and you have completed the integration set-up (cf next part below).

From your report, you can ask for the integration of a given vulnerability report. 

It will create an issue in your Bug Tracker with all the information coming from the YesWeHack report.
You can see some examples below:

bug_trackers

At the same time, on your vulnerability report, you will find a private comment that confirms the proper tracking, with reference to the issue created in your bug tracker (ID and URL).

If that is not enough and you want to further synchronize your YesWeHack reports' lifecycle with its corresponding issue in your bug tracker, you can activate several sync options, for example: synchronize comments or statuses between both tools. 

The workflow below describes the main interactions between our YesWeHack platform and your bug tracker :

Step 1: initial creation of the issue in your bug tracker

The integration script will automatically crawl for reports with “Ask for integration” tracking status, create a corresponding issue in your bug tracking system.

Issue's creation is achieved upon first synchronization after ”Ask for integration” (AFI) Tracking
Status is triggered.

  • When integrated, Tracking Status is automatically updated to ”Tracked”
  • Creation is possible whatever report status. It is however advised to set AFI status only after
    acceptance, since the report is from this point considered valid.
  • Subsequent returns to ”Ask for integration” status won’t create another issue.

Step 2 : comments synchronization

During the integration set-up, you may decide to selectively synchronize specific report logs to your tracker, i.e. decide to update your issues with some parts of your tracked reports by enabling one or several of the following options :

  • Upload private comments : private comments will be automatically added to the issue
  • Upload public comments : public comments will be automatically added to the issue
  • Upload details updates : report details updates (e.g. CWE-ID modification) will be automatically reflected on the issue
  • Upload rewards : reward allocation comment will be automatically added to the issue (but won’t display the reward amount)
  • Upload status : status updates and corresponding comments will be automatically added to the issue

Step 3 : Status synchronization 

You can setup the tool in order to automatically update the report and ask the hunter for a fix verification once the issue is set as closed in your Bug Tracker (which normally means that the fix is deployed). 

How do I set-up the bug tracker integration?

To set-up this integration up for one of your programs, there are 2 main steps :

A- Create a Personal Access Token and select the ‘Program Bug Tracker’ role.

B - Configure and install YWH2BT

A - Create a Personal Access Token (PAT)

To do so, please refer to our dedicated article here.

You need to create the PAT with the role Program Bug tracker  

Once the PAT is generated, make sure to save it and store it securely, you will need it just after!

B - Configure and install YWH2BT

First of all, Bug Tracker integration script and detailed documentation are available on our github ! You will find there everything you need to know if you need more details.

B1. Install the YWH2BT tools

Please refer to our detailed documentation on our github, depending on your environment.

YWH2BT embeds both the GUI to set up the integration, and the application to be scheduled on your server to periodically poll and synchronize new reports. You can either run both on a single machine, or prepare the configuration file on a computer (with the GUI).

B2. Configuration with the GUI

Once the YW2BT tool is installed, you may launch the the Graphical User Interface (GUI). It will allow you to create, modify, validate and convert your YWH2BT configuration files.

For a detailed description step by step, please refer to our documentation.

Here is an overview of what you will need to do:

  • Get an access token on your Bug Tracker (for example a Github API access token or a JIRA API token)
  •  Personalize and select the fields you want to synchronize
  • Generate a configuration file (.yaml or .json)
  • Install the YWH2BT docker on the server/machine that will plan the synchronization