Getting started overview

Getting started with Bugcrowd involves several key steps, beginning with account creation and program selection, followed by API credential generation for programmatic interaction. Bugcrowd offers various program types, including Vulnerability Disclosure Programs (VDPs) and Bug Bounties, each designed for different security testing needs. The platform's API allows for integration with existing security workflows, enabling automated vulnerability submission, data export, and program management. This guide outlines the initial setup, API access, and execution of a basic API request.

The primary method for interacting with Bugcrowd programmatically is through its API, which supports operations related to submissions, targets, and users. Access to this API is typically managed through the Bugcrowd platform or by contacting Bugcrowd support for API access details. Understanding the authentication mechanism, which commonly involves API keys, is crucial for securing your requests and ensuring proper authorization.

Create an account and get keys

To begin, you must establish an account with Bugcrowd. For organizations new to Bugcrowd, this typically involves signing up for a specific program type. Bugcrowd provides a VDP Starter free tier for establishing a basic Vulnerability Disclosure Program. Paid programs, such as Bug Bounty or Penetration Testing as a Service (PTaaS), require engagement with Bugcrowd's sales team to define scope and pricing, as detailed on their Bugcrowd pricing overview page.

Once your account is established and a program is active, you can generate API keys. The exact process for API key generation can vary slightly depending on your account type and permissions. Generally, you will navigate to your account settings or a dedicated API management section within the Bugcrowd platform. The Bugcrowd API documentation provides specific instructions for locating and generating these credentials.

API keys are sensitive credentials. It is recommended to store them securely and follow best practices for API key management, such as rotating keys regularly and restricting their scope to only necessary permissions. For instance, an API key used for submitting vulnerabilities should not necessarily have permissions to modify program settings. Adhering to security principles like the principle of least privilege can mitigate potential risks associated with compromised keys.

The Bugcrowd API often uses a combination of an API token and an organization ID for authentication. These are typically passed as headers in your API requests. For example, an Authorization header might contain your API token, while a custom header like X-Bugcrowd-Organization-Id identifies your organization. Ensure you obtain both the token and the organization ID for successful API interactions.

Quick Reference: Account Setup & Key Generation

Step What to Do Where
1. Sign Up Create a Bugcrowd account or inquire about enterprise solutions. Bugcrowd VDP Starter page or Bugcrowd Contact Us
2. Program Setup Configure your chosen security program (e.g., VDP, Bug Bounty). Bugcrowd Platform (post-login)
3. Generate API Keys Locate and generate your API token and organization ID. Bugcrowd Platform (Account Settings or API Management section)
4. Secure Keys Store API credentials securely and adhere to security best practices. Internal security policies

Your first request

After acquiring your API credentials, you can make your first API request. This example demonstrates how to fetch information about your programs using the Bugcrowd API. We will use curl for simplicity, but you can adapt this to any HTTP client or programming language.

First, ensure you have your API token and organization ID. Replace YOUR_API_TOKEN and YOUR_ORGANIZATION_ID with your actual credentials. The base URL for the Bugcrowd API is typically https://api.bugcrowd.com/. For fetching programs, a common endpoint is /programs or a similar path.

curl -X GET \
  'https://api.bugcrowd.com/programs' \
  -H 'Accept: application/vnd.bugcrowd.v4+json' \
  -H 'Authorization: Token token=YOUR_API_TOKEN' \
  -H 'X-Bugcrowd-Organization-Id: YOUR_ORGANIZATION_ID'

In this example:

  • -X GET specifies the HTTP GET method.
  • 'https://api.bugcrowd.com/programs' is the API endpoint. Please refer to the Bugcrowd API reference documentation for the most current and specific endpoints.
  • -H 'Accept: application/vnd.bugcrowd.v4+json' sets the Accept header, indicating that you want the response in the Bugcrowd API version 4 JSON format.
  • -H 'Authorization: Token token=YOUR_API_TOKEN' provides your API token for authentication.
  • -H 'X-Bugcrowd-Organization-Id: YOUR_ORGANIZATION_ID' identifies your organization.

A successful response will typically return a JSON object containing a list of your active programs, their IDs, names, and other relevant metadata. For example, a successful response might look like:

{
  "programs": [
    {
      "id": "program-uuid-1",
      "name": "My First VDP",
      "state": "active",
      "program_type": "vdp",
      "created_at": "2026-05-29T10:00:00Z"
    },
    {
      "id": "program-uuid-2",
      "name": "My Bug Bounty Program",
      "state": "active",
      "program_type": "bug_bounty",
      "created_at": "2026-05-28T15:30:00Z"
    }
  ]
}

This initial request confirms that your API credentials are valid and that you can successfully communicate with the Bugcrowd API. Subsequent requests can involve submitting vulnerabilities, retrieving submission details, or managing targets, all detailed within the Bugcrowd developer documentation.

Common next steps

After successfully making your first API call, several common next steps can enhance your use of the Bugcrowd platform:

  • Explore API Endpoints: Review the comprehensive Bugcrowd API documentation to understand available endpoints for submission management, target configuration, and user roles. This allows for deeper integration and automation of security workflows.
  • Automate Submission Reporting: Integrate the Bugcrowd API into your existing development pipelines (CI/CD) or internal security tools to automatically submit vulnerabilities found during testing or code analysis. This can streamline the reporting process and reduce manual overhead.
  • Webhooks for Real-time Updates: Configure webhooks to receive real-time notifications from Bugcrowd regarding new submissions, status changes, or bounty payments. This enables immediate action and integration with incident response systems. For general information on securing webhooks, refer to Twilio's webhook security guidelines.
  • Data Export and Analytics: Utilize the API to export vulnerability data for custom reporting and analytics. This can help track trends, measure program effectiveness, and inform strategic security decisions.
  • Integrate with Project Management Tools: Connect Bugcrowd with tools like Jira, Notion, or Salesforce through the API to automatically create tickets or tasks for newly discovered vulnerabilities, facilitating efficient remediation tracking.
  • Program Management: Use the API to programmatically manage aspects of your bug bounty or VDP, such as updating target scope, managing researcher invitations, or automating reward distribution where applicable.

Troubleshooting the first call

Encountering issues during your first API call is common. Here are some troubleshooting tips:

  • Check API Key and Organization ID: Double-check that your API token and organization ID are correct and have not been truncated or misspelled. These are case-sensitive.
  • Verify Headers: Ensure all required headers (Accept, Authorization, X-Bugcrowd-Organization-Id) are correctly formatted and included in your request. An incorrect Accept header can lead to unsupported media type errors.
  • Authentication Errors (401 Unauthorized): If you receive a 401 status code, it typically indicates an issue with your authentication credentials. This could mean an invalid API token, an expired token, or insufficient permissions for the requested action. Review your token's validity and associated permissions within the Bugcrowd platform.
  • Forbidden Errors (403 Forbidden): A 403 status code suggests that your credentials are valid, but they lack the necessary authorization to perform the specific action on the requested resource. For instance, your token might not have permission to access certain program data. Check the scope of your API key.
  • Not Found Errors (404 Not Found): This error usually means the endpoint you are trying to access does not exist or the resource (e.g., a specific program ID) cannot be found. Verify the URL path against the Bugcrowd API reference.
  • Rate Limiting (429 Too Many Requests): If you send too many requests in a short period, the API might impose rate limits. The response headers will often include information on when you can retry. Implement exponential backoff for retries to handle this gracefully.
  • Network Issues: Confirm that your network connection is stable and that no firewalls or proxies are blocking your outbound API requests to api.bugcrowd.com.
  • Consult Documentation: The official Bugcrowd API documentation is the authoritative source for error codes, endpoint specifics, and troubleshooting guides. Always refer to it for the most up-to-date information.
  • Contact Support: If you've exhausted troubleshooting options, reach out to Bugcrowd support with details of your request, including the full request (minus sensitive credentials) and the error response.