Skip to main content

Embedded submission form

Updated over 3 weeks ago

The embedded submission form allows you to place an Intigriti submission form directly on your own website. This enables external users to report vulnerabilities to a specific program without needing an Intigriti account, while still ensuring submissions are routed correctly into the platform.

💡Note: Submissions created through the embedded form are submitted anonymously. They cannot be claimed by a researcher later on and are handled entirely within your program.

🔓 Subscriptions: Core, Premium, Enterprise

Configuring embedded submission forms

⚙️Roles: Company Admin, Program Admin

You can configure the embedded submission form at program level.

  1. Open your program.

  2. Go to More and select Integrations.

  3. Select Embedded submission form.

  4. Verify the program settings by navigating to your program configuration and confirming that all prerequisite conditions for using the embedded form are met.

  5. Verify the form settings and decide whether your program’s assets should be disclosed in the submission form dropdown. Assets are disclosed by default. If you choose not to disclose assets, any submission made through the embedded form is automatically linked to the asset 'Other'.

  6. Specify the authorized domains by listing the full domain names where the submission form will be hosted, for example https://www.example.com. The form can only be rendered on domains you explicitly authorize.

  7. Copy the providedHTML code snippet from the integration page and paste it into the HTML of your website where you want the form to appear.

  8. Configure your Content Security Policy by adding the required CSP rules to your website’s security configuration so the embedded form can render and function correctly.

  9. Activate the integration to make the embedded submission form live on your website.

Once activated, the embedded form is publicly accessible on the authorized domains and submissions can be created directly in the linked program.

Form features

The embedded submission form displayed on your website includes the following elements:

  • Introductory text
    Informs researchers that, to track the progress of a submission and communicate through the platform, an Intigriti account is required. The introduction includes a link to your program page when the program is publicly accessible, allowing researchers to submit through the standard flow if they prefer.

  • Default submission fields
    The form includes the standard submission fields required to report a vulnerability, such as severity, asset (if enabled for the form), vulnerable component, vulnerability type, proof of concept, impact, and any submission questions (if configured for the program).

  • Email field (optional)
    Researchers can optionally provide an email address for follow-up communication. This field is handled as a submission question and allows your team to respond to the report outside of the platform, since anonymous submissions cannot be claimed or tracked by a researcher account.

  • Legal disclaimer
    A disclaimer is shown to clearly explain the terms and conditions associated with submitting vulnerabilities anonymously, including how the information will be processed and used.

This structure ensures that researchers can submit complete and actionable reports while setting clear expectations about anonymity and follow-up limitations.

Handling anonymous submissions

A submission created via the embedded form follows the same triage and handling process as any other submission. Key differences include:

  • Researcher identity
    The researcher will be identified as 'unknown_researcher'.

  • Researcher communication
    Because submissions are anonymous, researchers cannot follow up on their submission or respond to messages through the platform. Any follow-up communication must be handled through the contact information provided in the submission itself.

  • Reward eligibility
    These anonymous submissions are not eligible for any rewards, including bounties, bonuses, or reputation points.

Best practices

  • Use the embedded submission form for Vulnerability Disclosure Programs (VDPs) to lower the barrier for responsible disclosure and encourage reports from a wider audience.

  • Add the URL where the embedded form is hosted to your /.well-known/security.txt file so researchers can easily discover the correct reporting channel. Find out more information about this standard on https://securitytxt.org.

  • Consider disabling asset disclosure in the embedded form when exposing your full asset list is not desirable.

  • Limit mandatory submission questions to the essentials to keep the submission process lightweight and avoid discouraging reporters.

Related articles

Did this answer your question?