Global Control of LLMs

Bugcrowd is committed to providing powerful, secure Generative AI (GenAI) capabilities for your security program. This document details our use of Large Language Models (LLMs) and how Organization Owners can control their use across the Organization. Enabling these features available for customer use signifies consent for GenAI/LLM service use.

Security & Data Assurance

The AI Capabilities currently encompasses AI Triage Assistant, AI Analytics, and AI Connect (MCP Server).

Features NOT Controlled:

  • AI Connect: This feature is NOT controlled because the MCP Server is not an LLM and does not use Bugcrowd’s LLM infrastructure.
  • Analytics (Dashboards): The core Analytics (Dashboards) section will always remain accessible, as it does NOT utilize LLMs. Within AI Analytics, only the Ask AI (natural language query) feature is governed by the Global Control.

Zero Training Policy: Our features that use LLMs utilize enterprise-grade configurations to generate the feature’s output (inference). This ensures that the data is NOT retained or used to train LLM models.

Machine Learning vs. Generative AI Models

There is a distinction regarding which models are impacted by this control:

  • Generative AI (GenAI) / Features that Use LLMs: Tools using LLMs (e.g., Amazon Bedrock) to create new content. These features are controlled by the Global Control of LLMs.
  • Machine Learning (ML): Core Bugcrowd models (e.g., CrowdMatch) used for prediction/matching. These models do not use LLMs, do not generate new content, and are NOT affected by the Global Control.

Global Control of LLMs

The Global Control allows Organization Owners to Enable or Disable all features that use LLMs with a single action. Setting the control to Disabled deactivates all current and future LLM-powered features. Organization Owners can Enable or Disable this control at any time (before or after the Grace Period, see details below).

Current Features

The current features controlled by the Global Control of LLMs are:

Feature Name Action
Ask AI (The Natural Language Query function of AI Analytics) Learn more
AI Triage Assistant Learn more

Control Access

Only Organization Owners have the permissions to manage this Global Control.

However, certain features, such as the AI Triage Assistant, also offer the option to be managed at the Program level.

  • If the Global Control is Disabled, all LLM-related features - even those with Program-level access - will be disabled and cannot be enabled at the Program level.
  • If the Global Control is Enabled, Program-level features can be subsequently disabled by roles with Program-level access (e.g., Program Owners) on Program > Settings > Integrations.
  • Features accessible only by Organization Owners are controlled exclusively by the Global Control.

How to Enable or Disable the Feature

  1. Navigate to Organization in the main menu, and go to the Settings tab.

    Screenshot of navigation to Organization > Settings

  2. Select the Global Control of LLMs section.

    Screenshot showing Global Control of LLMs section

  3. Toggle the control to Enable or Disable. Click Submit to save your changes and wait for the confirmation message.

    Screenshot showing toggle and Submit button

  4. If Enable + Submit was selected, you will see the following confirmation page and the access to the current LLM-connected features will be enabled.

    Screenshot of confirmation page after enabling

  5. If Disable + Submit was selected, you will see the following confirmation page and all LLM-connected features across your Organization will be disabled.

    Screenshot of confirmation page after disabling

Grace Period

The Grace Period (December 10, 2025 to January 20, 2026) allows customers to select their preference before the GenAI feature is enabled by default for all those who took no action during that period.

  • Even customers who do not wish to use the GenAI features are requested to Disable them using the control, which ensures the features will not be enabled for them after the Grace Period.
  • Customers can Enable or Disable the feature at any time (before or after January 20th).
  • Customers with AI Provisions will have the control disabled by default and are not subject to the Grace Period’s automatic enablement.

FAQ

1. What features are included in the AI Capabilities?
Currently, AI Triage Assistant, AI Analytics, and AI Connect (MCP Server).

2. Does the Global Control affect AI Connect (MCP Server)?
No. AI Connect is NOT controlled because the MCP Server is not an LLM and, therefore, does not use Bugcrowd’s LLM infrastructure.

3. Why is AI Analytics accessed even if the Global Control of LLMs is Disabled or in ‘null’ state?
The AI Analytics feature has two components:

  • Dashboards: The initial view, called Analytics (e.g., Submissions, Performance), is a series of standard dashboards that do not use LLMs. This is why this page remains accessible when the Global Control is Disabled or null. For more info, visit the AI Analytics documentation.
  • Ask AI: The Ask AI feature (accessed via the ‘Ask AI’ button on the top right) does use LLMs. This component requires the Global Control of LLMs to be Enabled to be accessible.

4. Can Program Owners enable the Global Control of LLMs?
No. If the Global Control of LLMs is Disabled, no features that use LLMs can be activated, nor even at the Program-level. Only Organization Owners can enable the Global Control.

5. When does the Grace Period begin and end?
The Grace Period begins on December 10th and ends on January 20th EST.

6. What is the feature’s status during the Grace Period?
For existing customers, the feature will be in a null state (effectively Disabled) throughout the Grace Period, waiting for customer action to Enable or Disable the feature. The Grace Period does not apply for new customers.

7. What happens if I take no action during the Grace Period?
The feature will be automatically Enabled by default on January 20th EST for all existing customers who did not take any action during the Grace Period.

8. How do I ensure the feature remains disabled?
Even if you do not wish to use the GenAI features, it is requested to Disable the control in the platform (found at Organization > Settings > Global Control of LLMs). This action ensures the features will not be enabled for the account after the Grace Period ends.

9. What is the rule for new customers?
New customers are not subject to the Grace Period and the control is set to Enabled by default upon onboarding, unless their contract includes AI Provisions. Please note that any Organization Owner (current or new customer) can Disable and Re-enable the feature in-platform at any time.

10. Are there exceptions for customers with AI Provisions?
Yes. Customers with AI Provisions will have the control disabled by default and are not subject to the automatic enablement at the end of the Grace Period.

11. Does the Global Control affect Machine Learning (ML) models like CrowdMatch?
No. Machine Learning models do not use LLMs, do not generate new content, and are NOT affected by the Global Control.

Quickstart Expand to see sub-pages
Onboarding Expand to see sub-pages
Organization Management Expand to see sub-pages
Security Program Management Expand to see sub-pages
Engagement Management Expand to see sub-pages
Target Management Expand to see sub-pages
Single-Sign-On Expand to see sub-pages
Security Expand to see sub-pages
Roles and Permissions Expand to see sub-pages
Submission Management Expand to see sub-pages
Funds Management Expand to see sub-pages
Integration Management Expand to see sub-pages
Reporting Organization Expand to see sub-pages
Reporting Security Program Expand to see sub-pages
Incident management Expand to see sub-pages
AI Capabilities Expand to see sub-pages
Visit bugcrowd.com