Asset Collections

Collections let you group related assets for easier organization, reporting, and assignment to Security Programs. For example, you might create collections for:

  • Business units (e.g., Finance, Engineering)
  • Application types (e.g., Web Apps, APIs)
  • Testing categories (e.g., Website Testing, Bug bounty scope)
  • Regions (e.g., US-West, EU)

Collections are flexible and can be used to structure your asset inventory in a way that aligns with your security workflows.

To access Collections:

  1. Log in to your Bugcrowd organization.
  2. Navigate to Assets → Collections in the left sidebar.
  3. The Collections page lists all active collections.

Collections

Creating a Collection

  • From any asset view or the Collection page, click Create collection (top right).

Create Collection

  • Enter a Collection Name (up to 64 characters).

Create a collection modal

  • Click Create.

Your new collection is now available and can be used to group assets.

Adding Assets to a Collection

You can add assets to a collection from any asset view (like the Asset Inventory page):

  • Select one or more assets using the checkboxes.
  • Click Add to collection

Add assets to collection

  • Choose one or more collections from the dropdown.

Add asset to collection modal

  • Click Update.

The assets will now appear in the selected collection(s).

Viewing and Managing Collections

On the Collections page, you can:

  • View a collection: Click the collection name to see all assets within it.
  • Edit a collection: Update the collection name.
  • Archive a collection: Move a collection into a read-only state.
  • Assign a collection to a Security Program: Associate the entire group of assets with one or more programs.
  • Un-assign a collection from a Security Program: Remove the collection (and all its associated assets) from one or more programs. The assets remain in the collection and inventory but will no longer be associated with the selected program(s).
    • To un-assign, click Un-assign collection, select the Security Program(s) to remove, and confirm.
    • Vulnerabilities previously mapped to the collection within those programs remain in historical records but will no longer update once un-assigned.

viewing and managing collections

Archiving Collections

When a collection is archived:

  • The collection becomes read-only. The only available action is to unarchive it.
  • Assets inside the archived collection also become read-only in the context of that collection — no actions can be taken on them there.

However:

  • If the asset exists in other active collections, or is individually assigned to Security Programs, those relationships remain active and actions can still be taken.
  • If the asset itself is archived, it becomes unavailable in all contexts, even if it appears in active collections.

Best Practices

  • Use tags in combination with collections for maximum flexibility in filtering and organizing. Tags allow lightweight categorization (e.g., Production, Staging), while collections provide structured grouping.
  • Leverage collections for bulk assignments when adding assets to Security Programs, ensuring faster onboarding and consistent coverage.
  • Remember that archiving a collection does not delete assets — it simply makes the collection read-only. Assets remain active elsewhere if individually assigned or in other active collections.
  • Use active collections to maintain testing coverage of your critical assets and ensure no important targets fall out of scope.
  • Create collections aligned to business needs, such as grouping by product line, region, or compliance requirement (e.g., PCI, HIPAA) to streamline reporting and management.
  • Review and update collections regularly as assets evolve — remove outdated assets, archive old collections, and ensure new assets are included in the right groups.
  • Assign collections to multiple programs if applicable (e.g., the same set of staging assets tested under both internal red teaming and bug bounty). This reduces duplication and ensures consistent scope management.
  • Avoid overly large “catch-all” collections. Smaller, more focused collections (e.g., “Mobile Apps,” “US Region APIs”) are easier to manage and audit.
  • Document the purpose of each collection internally so team members understand how and when to use them.
Quickstart Expand to see sub-pages
Onboarding Expand to see sub-pages
Organization Management Expand to see sub-pages
Security Program Management Expand to see sub-pages
Engagement Management Expand to see sub-pages
Target Management Expand to see sub-pages
Single-Sign-On Expand to see sub-pages
Security Expand to see sub-pages
Roles and Permissions Expand to see sub-pages
Submission Management Expand to see sub-pages
Funds Management Expand to see sub-pages
Integration Management Expand to see sub-pages
Reporting Organization Expand to see sub-pages
Reporting Security Program Expand to see sub-pages
Incident management Expand to see sub-pages
Visit bugcrowd.com