You can embed the HackerOne report submission form onto your website. This enables hackers to submit reports without having to create an account on HackerOne. This also provides hackers with an easy way to submit security vulnerabilities without having to search for the VDP or security policy. With embedded submissions, anyone can submit a report to the program and hackers also have the option to anonymously submit reports.
If you have signal requirements set up for your program, please note that the embedded submission form bypasses all signal requirements that have already been set up. Hackers who don't meet signal requirements will still be able to submit vulnerabilities to your program through the embedded submission form.
Set Up an Embedded Submission Form
To have an embedded submission form on your website:
Go to Program Settings > Program > Embedded Submission Form.
Identify the domains where you want the submission form to be embedded on the Embedded Submission Configuration form. You must add a Fully Qualified Domain Name (FQDN). You can add up to 100 domains.
Customize the look of your submission form to match the style of your website. You can change these settings:
Show “Powered by HackerOne” on the submission form
The checkbox is selected by default to show that the form is powered by HackerOne. You can deselect the checkbox to hide the HackerOne logo from the form.
Select the type of font you want the form to appear in.
Select the color of the links on the form.
Select the color of the form design.
Accent Text Color
Select the text color within the design accents.
Select the color of the button on the form.
Button Text Color
Select the text color within the button.
(Optional) Click Preview form to see how your form will look.
Click Save changes.
<iframe /> element on your website to embed a frame directly.
Or you can paste the
portion of code as a URL. You can point to the link on your website, or you can set up a security@ email with an auto-response pointing to the link.
How it Works
Once the integration has been set up, the HackerOne report submission form can be accessed directly on your site. Hackers don't need to access your HackerOne policy page to submit reports, but they can access the report form right from your site.
When hackers submit reports through the embedded form, the form automatically detects if a hacker is signed in to HackerOne and allows them to submit a report. If a hacker isn’t a member or signed in, they can provide their email in the email field to receive status updates on their report.
Anonymous submissions will always remain anonymous and can’t be claimed later for reputation or bounties. If an email address is provided, HackerOne will be able to check if an account exists with that email on HackerOne and send the hacker an email to claim the report or to create an account to claim the report.
We recommend you include a short description of how embedded submissions work on your submission form page so hackers can understand the submission process. Alternatively, you can include a link to your policy page or directory page that explains your policy on submitting vulnerabilities.