The embedded submission form allows you to receive vulnerability reports directly from your website. This feature enables anonymous reporting from researchers without requiring them to create an Intigriti account, simplifying the disclosure process.
Key takeaways:
Enable anonymous vulnerability submissions directly on your domain.
The setup involves verifying program settings, authorizing domains, and adding a code snippet to your site.
Submissions from the form are treated like any other, but the researcher appears as 'unknown_researcher' and is not eligible for rewards.
Who this article is for: Program managers and company administrators responsible for configuring their vulnerability disclosure program.
Prerequisites
Before setting up the embedded form, your program must meet the following requirements:
Your program status is set to "open" or “suspended”.
Custom program terms and conditions are not enabled.
Note: If these prerequisites are no longer met after the integration is active, the form will not render on your website. A warning message will appear on the integration page in your Intigriti settings to help you resolve the issue.
Setup process
Follow these steps to configure the embedded submission form for your program.
1. Verify program settings: Navigate to your program settings and confirm that your program meets all the prerequisite conditions listed above.
3. Select More > Integrations > Embedded submission form > Open overview
2. Verify form settings: Decide if you want to disclose your program's assets in the submission form's dropdown menu. By default, assets are disclosed. If you choose not to disclose them, any submission made through the form will be automatically linked to the asset 'other'.
3. Specify authorized domains: In the integration settings, list the full domain(s) where you plan to host the submission form (e.g., https://www.example.com). This ensures the form can only be rendered on websites you have explicitly authorized.
4. Add the code snippet: Copy the provided HTML code snippet from the integration page and paste it into the HTML of your website where you want the form to appear.
5. Configure Content Security Policy (CSP): To allow the form to render and function correctly, add the required CSP rules to your website's security configuration.
6. Activate the integration Once the setup is complete, enable the embedded form feature in your program's integration settings to make it live on your website.
Form features
The embedded form displayed on your website includes:
Introductory text: Informs researchers that they must log in to an Intigriti account to track their submission's progress, with a link to your program page.
Optional email field: Researchers can provide an email address for follow-up communications. This is handled as a submission question.
Legal disclaimer: Clearly explains the terms associated with anonymous submissions.
Handling an anonymous submission
A submission created via the embedded form follows the same triage and management process as any other submission. Key differences include:
Researcher identity: The researcher will be identified as 'unknown_researcher'.
Reward eligibility: These anonymous submissions are not eligible for any rewards, including bounties, bonuses, or reputation points.