Skip to main content

Embedded Submission Form

Organizations: Embed the HackerOne report submission form onto your website

Updated over a week ago

You can embed the HackerOne report submission form on your website. This enables hackers to submit reports without creating an account on HackerOne. It also provides hackers an easy way to submit security vulnerabilities without searching for the VDP or security guidelines. With embedded submissions, anyone can submit a report to the program, and hackers also have the option to submit reports anonymously.

If you have signal requirements set up for your program, please note that the embedded submission form bypasses all existing signal requirements. Hackers who don't meet signal requirements can still submit vulnerabilities to your program through the embedded submission form.

Note: If you’re running a private program and want to configure an embedded submission form, any hacker can submit vulnerabilities to your program as long as they have access to the embedded submission form, even if they’re not explicitly invited to your program. If you choose to have an embedded submission form, your program will no longer be strictly private.

How it Works

Once the integration has been set up, the HackerOne report submission form can be accessed directly on your site. Hackers don't need to access your HackerOne Security page to submit reports; they can access the report form right from your site.

When hackers submit reports through the embedded form, the form automatically detects if they are signed in to HackerOne and allows them to submit a report. If they aren’t a member or signed in, they can provide their email in the email field to receive an invitation link to create a HackerOne account and follow updates on their report.

Anonymous submissions will always remain anonymous and can’t be claimed later for reputation or bounties. If an email address is provided, HackerOne will be able to check if an account exists with that email on HackerOne and send the hacker an email to claim the report or to create an account to claim the report.

We recommend you include a short description of how embedded submissions work on your submission form page so hackers can understand the submission process. Alternatively, you can include a link to your security page or directory page explaining your guidelines for submitting vulnerabilities.

Set Up an Embedded Submission Form

To have an embedded submission form on your website:

  1. Go to Engagements, click the kebab menu (three dots) for the program you’re interested in, then click Settings. The embedded form is under Hacker Management.

  2. Identify the domains where you want the submission form to be embedded on the Embedded Submission Configuration form. You must add a Fully Qualified Domain Name (FQDN). You can add up to 100 domains.

  3. Customize the look of your submission form to match your website's style.

    1. You can also select which languages the form will appear in. Selecting multiple locales will create a dropdown menu so the security researcher can choose their preferred language. (Beta feature)

    2. Note: Customization settings are only for Enterprise programs.

Heads-up: The "Introduction Text" on the Embedded Submission Form is only editable in Program Settings > Customizations > Submit Report Form since it shows up as the first text block on both the embedded form and the Submit Report Form.

  1. (Optional) Click Preview form to see how your form will look.

  2. Click Save changes.

  3. Copy and paste the script tag to your website. The script tag is used to include a JavaScript file served by HackerOne to generate the iframe necessary to embed the report submission page. As the iframe replaces the script tag, you can insert the tag wherever you want the iframe to be included.

Note: The URL within the script contains a UUID (e.g., 25ab901d-7cea-481b-8ac2-c16b7d10d577). The embedded page uses this UUID to grant users access to submit reports to your program. Any user with access to the UUID will be able to submit reports. You must be careful when disclosing this UUID if you want to restrict access to submissions.

Alternatively, if you don’t want to include dynamic JavaScript, you can copy and paste the <iframe /> element on your website to embed a frame directly.

Or you can paste the

<"https://hackerone.com/...UUID.../embedded_submissions/new"> 

portion of code as a URL. You can point to the link on your website or set up a security@ email with an auto-response pointing to the link.

Did this answer your question?