CVD Portal
← Back to Documentation
API Reference

Bulk Multi-Vendor Submission Endpoint

By The CVD Portal Team
4 min read

The bulk submission endpoint lets a security researcher, or an agent acting for one, file the same vulnerability to several vendors' public CVD portals in a single request and get back a tracking ID for each one. It is built for the common case where one finding affects many products hosted on CVD Portal. Each report is validated and filed independently, so one rejected item never sinks the rest of the batch.

Endpoint

POST /api/portal/batch
Content-Type: application/json

This is a public endpoint. It needs no API key, exactly like the single-portal submission form, because it files into vendors' public intake portals. It is rate-limited per IP to 3 batches per minute, and each batch may carry up to 20 reports.

Request

Each item is a standard public submission plus the target portal slug (the vendor's subdomain, for example acme for acme.cvdportal.com).

{
  "submissions": [
    {
      "slug": "acme",
      "productName": "Acme Router X100",
      "vulnerabilityType": "RCE",
      "description": "Unauthenticated remote code execution in the admin interface.",
      "stepsToReproduce": "POST /admin with a crafted payload...",
      "impact": "Full device takeover",
      "contactEmail": "[email protected]"
    },
    {
      "slug": "globex",
      "vulnerabilityType": "RCE",
      "description": "Same firmware component is shipped in the Globex G500."
    }
  ]
}

description is required on every item. productName, vulnerabilityType, stepsToReproduce, impact, contactEmail, and pgpKey are optional, and vulnerabilityType must be one of the platform's accepted enum values. The report fields use the exact same validation as the single-portal endpoint.

Response

The endpoint always returns 200 with a per-item result and a summary. Check each item's ok flag rather than the HTTP status.

{
  "results": [
    { "slug": "acme", "ok": true, "submissionId": "clx123...", "createdAt": "2026-06-25T12:00:00.000Z" },
    { "slug": "globex", "ok": false, "error": "Portal not found" }
  ],
  "summary": { "total": 2, "succeeded": 1, "failed": 1 }
}

Store each submissionId against its slug. That is the researcher's tracking reference for following up with that vendor.

Behaviour notes

  • Per-item isolation — an unknown slug or a failed write produces an ok: false item with an error string. Every other item still files.
  • Same side effects as a single submission — each filed report fires the vendor's configured webhooks, records their first-report activation milestone, and runs AI triage where the vendor has it enabled.
  • Repeated slugs — filing several reports to the same portal in one batch is allowed. The portal lookup is resolved once per distinct slug.
  • Validation errors — a malformed batch envelope (empty array, more than 20 items, or a structurally invalid item) returns 400 with a single error message and files nothing.

Need more help?

Contact Support