Note: This setup guide is intended for use with ServiceNow Application Vulnerability Response. If you intend to set up this integration for ServiceNow Vulnerability Response, please refer to this setup guide.
Note: This integration is only available for Enterprise programs.
Configure OAuth
Note: If you have configured an Application Registry before, you can skip this section.
Navigate to System OAuth > Application Registry in your ServiceNow settings.
Click New to create a new Application Registry.
Click Create an OAuth API endpoint for external clients
Enter these values for these fields:
Name: HackerOne
Client ID: This is auto-generated. Copy this value; you'll need this later when setting up the OAuth connection.
Client Secret: Enter a secret key. You'll need this key again later in the process when setting up the OAuth connection.
Click Submit.
Create a Scripted REST API
Navigate to System Web Services > Scripted REST APIs.
Click New to create a new Scripted REST service:
Enter these values for these fields:
Name: HackerOne
API ID: hackerone
Default ACLs: vulnerability_integration_svc
Click Submit and then open the newly created API.
Create Vulnerability API
Under the Resources tab, click New.
Enter these values for these fields:
Name: Create Vulnerability
HTTP Method: POST
Relative path: /create_vulnerability_avr
Add the following script to process incoming vulnerability data:
(function process(/*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) {
try {
let request_body;
try {
request_body = JSON.parse(request.body.dataString);
} catch (error) {
response.setStatus(400);
response.setBody({ error: "Invalid JSON payload" });
return;
}
let date = new Date(request_body.submission_date_y_m_d);
let year = date.getFullYear();
/** CONFIGURATION */
const vul_table = "sn_vul_app_vul_entry";
const vul_item_table = "sn_vul_app_vulnerable_item";
const vul_source = "HackerOne";
const vul_entry_id = "H1-" + year + "-" + request_body.report_id.toString();
/** HELPER FUNCTIONS */
function mapCVSSAttackVector(letter) {
const mappings = {
N: "NETWORK",
A: "ADJACENT",
L: "LOCAL",
P: "PHYSICAL",
};
return mappings[letter] || "";
}
function mapCVSSScore(letter) {
const mappings = {
N: "NONE",
L: "LOW",
H: "HIGH",
R: "REQUIRED",
U: "UNCHANGED",
C: "CHANGED",
};
return mappings[letter] || "";
}
/** MAIN */
let vul_entry = new GlideRecord(vul_table);
let cwe_entry = new GlideRecord("sn_vul_cwe");
const cvss_components = [
request_body.cvss_calculation_method,
`AV:${request_body.cvss_attack_vector}`,
`AC:${request_body.cvss_attack_complexity}`,
`PR:${request_body.cvss_privileges_required}`,
`UI:${request_body.cvss_user_interaction}`,
`S:${request_body.cvss_scope}`,
`C:${request_body.cvss_confidentiality}`,
`I:${request_body.cvss_integrity}`,
`A:${request_body.cvss_availability}`,
];
const cvss_vector_string = cvss_components.join("/");
if (!vul_entry.get("id", vul_entry_id)) {
vul_entry.initialize();
vul_entry.setValue("id", vul_entry_id);
vul_entry.setValue("source_severity", parseInt(request_body.severity_number));
vul_entry.setValue("source", vul_source);
vul_entry.setValue("threat", request_body.details);
if (request_body.cvss_calculation_method.includes("CVSS:3.1") || request_body.cvss_calculation_method.includes("CVSS:3.0")) {
vul_entry.setValue("v3_attack_vector", mapCVSSAttackVector(request_body.cvss_attack_vector));
vul_entry.setValue("v3_attack_complexity", mapCVSSScore(request_body.cvss_attack_complexity));
vul_entry.setValue("v3_privileges_required", mapCVSSScore(request_body.cvss_privileges_required));
vul_entry.setValue("v3_user_interaction", mapCVSSScore(request_body.cvss_user_interaction));
vul_entry.setValue("v3_scope_change", mapCVSSScore(request_body.cvss_scope));
vul_entry.setValue("v3_confidentiality_impact", mapCVSSScore(request_body.cvss_confidentiality));
vul_entry.setValue("v3_integrity_impact", mapCVSSScore(request_body.cvss_integrity));
vul_entry.setValue("v3_availability_impact", mapCVSSScore(request_body.cvss_availability));
vul_entry.setValue("cvss_base_score", request_body.cvss_score);
vul_entry.setValue("cvss_vector", cvss_vector_string);
}
if (request_body.cwe && cwe_entry.get("cwe_id", request_body.cwe)) {
vul_entry.setValue("cwe_id", cwe_entry.sys_id);
}
vul_entry.insert();
}
let vul_item = new GlideRecord(vul_item_table);
vul_item.initialize();
if (!vul_item.get('vulnerability', vul_entry.sys_id)) {
vul_item.setValue('source', vul_source);
vul_item.setValue('vulnerability', vul_entry.sys_id);
vul_item.setValue('technical_details', request_body.details.substring(0, 1000));
vul_item.setValue('scan_type', 'manual')
vul_item.insert();
}
response.setStatus(201);
response.setBody({
table_name: vul_item_table,
sys_id: vul_item.sys_id || false,
external_id: vul_item.number || false,
link: vul_item.sys_id ? gs.getProperty("glide.servlet.uri") + vul_item.getLink() : false,
});
} catch (error) {
response.setStatus(500);
response.setBody({ error: "Server error", details: error.toString() });
}
})(request, response);Click Submit.
Copy the Resource path of the newly created resource and save it for use later
Setup Severity Map
Navigate to Vulnerability Response > Normalized Severity Maps
To ensure accurate severity representation, use the following severity mapping between HackerOne and ServiceNow:
Configure on HackerOne
To set up the integration on HackerOne:
To access integrations, go to Engagements, click the kebab menu for the program you’re interested in, then click Settings.
Scroll down to Automation > Integrations.
Click Connect with ServiceNow.
Click Set up new integration to start the setup process.
Click on New Authentication to set up the connection to ServiceNow
Authenticate your ServiceNow instance by entering information into these fields:
ServiceNow Instance URL: Enter the full URL to your ServiceNow instance, for example, it could be: https://my-instance.service-now.com/
Client ID & Client Secret: Enter the Client ID and Client secret from step 4 in Configure OAuth.
Click Create, and in the popup, click Allow.
Click Next. Enter the URLs of the scripted resources you have created before and click Next.
(Optional) Select which actions in HackerOne you'd like to post to ServiceNow in the Select HackerOne to ServiceNow events window. You can choose from:
Comments: When someone comments on a report, post an update on the associated ServiceNow item.
State changes: When someone changes the state of a report, post an update on the associated ServiceNow item.
Rewards: When someone awards or suggests a bounty and/or bonus, post an update on the associated ServiceNow item.
Show Bounty Award: Show the amount when a bounty is awarded or suggested (this also requires Rewards to be enabled).
Assignee changes: When someone assigns a user/group to a report, post an update on the associated ServiceNow item.
Disclosure: Post an update on the associated ServiceNow item when disclosure is requested or a report becomes public.
Synchronize attachments: Synchronize attachments linked with reports and comments to the associated ServiceNow item.
Copy the HackerOne ServiceNow Listener URL and save it for use when configuring outgoing requests.
Enable the integration after finishing the setup wizard.
Configuring Outgoing Requests
After configuring incoming requests, you’ll need to configure outgoing requests in ServiceNow enabling you to post comments from ServiceNow to HackerOne. You’ll need to use Outbound REST Messages and Business Rules in the configuration process.
To configure posting comments from ServiceNow to HackerOne:
Navigate to: System Web Services > Outbound > REST Message.
Click New to create a new Outbound REST Message.
Enter these values for these fields:
Name: HackerOne
Endpoint: The Public ServiceNow URL. This is found in the configuration wizard on the HackerOne platform.
Authentication Type: No authentication
Click Submit.
Reopen the HackerOne outbound REST message you just created.
Click New to add a new HTTP Method.
Enter these values for these fields:
Name: New Comment
HTTP Method: POST
Authentication Type: Inherit from parent
Enter this in the Content field in the HTTP Request tab:
{
"event_name": "new_comment",
"message": "${message}",
"sys_id": "${sys_id}",
"element_id": "${element_id}"
}Add these two HTTP Headers on the same HTTP Request tab:
Accept: application/json
Content-Type: application/json
Click Submit.
Navigate to System Definition > Business Rules.
Click New to create a new business rule.
Enter these values for these fields:
Name: Add Comment
Table: Journal Entry [sys_journal_field]
Advanced: Make sure the box is checked
Enter these values for these fields on the When to run tab.
When: async
Insert: Make sure the box is checked
Filter Conditions:
Value is not empty: AND :
Name : is : sn_vul_vulnerable_item
Enter this script in the Advanced tab:
(function executeRule(current, previous /*null when async*/) {
try {
var vulnItem = new GlideRecord('sn_vul_vulnerable_item');
if (!vulnItem.get(current.element_id))
return;
// Check if the vulnerable item source is HackerOne
if (vulnItem.source != 'HackerOne')
return;
var r = new sn_ws.RESTMessageV2('HackerOne', 'New Comment');
var encoded_message = GlideStringUtil.base64Encode(current.value.toString());
r.setStringParameterNoEscape('message', encoded_message);
r.setStringParameterNoEscape('sys_id', current.sys_id);
r.setStringParameterNoEscape('element_id', current.element_id);
r.execute();
} catch (ex) {
gs.error("HackerOne webhook error: " + ex.message);
}
})(current, previous);Click Submit.
Make sure that the arguments for RESTMessageV2 match the name you gave to the Outbound REST Message.
You're all set! Now that you've finished setting up the ServiceNow integration, you can create a vulnerable item right from your HackerOne report.