FeaturesPartner pentest triage

Partner pentest triage

Pencheff integrates with HackerOne, Bugcrowd, and Cobalt as partner pentest platforms — every finding_new event can be auto-submitted as a draft report on the upstream platform, and the triager’s verdict flows back through a callback that flips Pencheff’s verification_status.

The integration sidesteps the multi-year build-out of a researcher network: instead of operating one ourselves, we route findings to the platform whose researcher community already triages your engagements.

What it does

StageDirectionSurface
Submit for triagePencheff → partnerClick Verify with humans → on a finding card; the finding is forwarded as a finding_new event through the configured integration.
Triager verdictPartner → PencheffThe partner’s webhook calls back into POST /findings/{id}/verify-callback with one of: confirmed / informative / duplicate / not-applicable.
State flipPencheff sideconfirmedverification_status = true_positive. informativefalse_positive. duplicate / not-applicable → suppressed with reason.

Configure an integration

PlatformConfig fields
HackerOneapi_username, api_token
Bugcrowdapi_token, program_uuid
Cobaltapi_token, pentest_id

Add via Settings → Integrations → Add integration. Each platform has a one-click “test” round-trip:

  • HackerOne — GET /v1/me
  • Bugcrowd — GET /me (Crowdcontrol API v4)
  • Cobalt — GET /orgs (Cobalt API v3, X-Api-Key auth)

The test verifies the credentials before any real submission, so a bad token doesn’t show up only when a real finding routes.

Per-finding triage button

Every finding card on /scans/{id}/findings/{fid} exposes a Verify with humans → button under the action row (next to Re-examine, Mark fixed, Confirm). Clicking it shows three buttons — one per configured partner kind — and the chosen platform gets the finding as a draft report.

Webhook signing

The Phase 1.2 HMAC primitive (pencheff_api.services.integration_dispatch.sign_webhook_body) is used for the generic webhook integration’s outbound signature. Partner integrations rely on the partner’s own signed-callback mechanism (HackerOne hash signature header, Bugcrowd JWT, Cobalt shared secret).

For inbound verify-callback requests, validate the partner’s signature in front of the endpoint — Pencheff doesn’t perform that step itself today (next iteration; tracked under Phase 4 follow-up).

Source