- Step 1 - Invite team members to the program
- Step 2 - Assign a team member to monitor the program
- Step 3 - Make your organization aware of the program
- Step 4 - Review your attack surface
- Step 5 - Build your bounty program brief
- Step 6 - Import known issues
- Step 7 - Set up integration
To get started, sign in and familiarize yourself with the The Crowdcontrol Navbar. Using this toolbar, you will be able to navigate through the platform to perform tasks such as adding new team members, updating the Program Brief, and managing the Submissions Page.
Step 1 - Invite team members to the program
Each Crowdcontrol role provides different visibility and job responsibilities for each member of your team. You can assign appropriate role for your team members based on the tasks you want them to perform. These roles may be adjusted at any point during your program.
For information about adding new team members, see adding team members.
Step 2 - Assign a team member to monitor the program
It is important to understand that although Crowdcontrol makes it easier to run a bug bounty, your program requires consistent attention. Having at least one individual on your security team assigned to monitor the program is highly recommended. Running a bug bounty program is not the same as turning on a generic scanner whose results can be ignored until there’s time to address them or a penetration test which delivers results on a predetermined date. Neglecting researcher submissions will do you no favors, and will undermine the potential success of your program.
Step 3 - Make your organization aware of the program
Running a bounty program doesn’t stop at that one person who’s been managing the day to day of the program. It’s also critical that the entire organization is aware of the bounty program, and policies are in place across departments.
You should have processes in place to ensure the timely processing and remediation of found issues, as well as prioritization guidelines over existing work. This will likely require working directly with multiple project owners, developers, and so on. And while it’s most important that the technical folks are well informed and directed, it’s also important that you understand the extent to which this will affect other departments. For example, marketing or sales folks should be aware of testing on public website forms, customer service folks should be prepared to field related questions, etc.
More Info: For more info on this topic, review the process of the Bug Bounty Lifecycle.
Step 4 - Review your attack surface
Before getting started, know your attack surface. Initiate extensive audits of your apps and libraries to help you understand where and how you’re vulnerable, and identify what is most important to your business.
Step 5 - Build your bounty program brief
Although Bugcrowd will assist you with this process, we always recommend you take the first step in building the initial framework of your bounty brief. By going to our Public Programs list you can see examples of bounty briefs. To edit your brief, navigate to the Settings tab on the Crowdcontrol toolbar.
More info on building a great bounty brief:
Step 6 - Import known issues
Prior to the launch of your program, import all known issues into Crowdcontrol using a properly formatted CSV file. It is important for Crowdcontrol to identify these known issues to help filter any incoming duplicate submissions upon the launch of your program.
More Info: To learn more about importing known issues, review the Known Issues Imports page.
Step 7 - Set up integration
Crowdcontrol has the ability to integrate with a number of different applications, depending on your business needs. We recommend integrating your ticketing system and SSO (single sign-on) application first. Ticketing integration will help streamline the ‘need to fix’ vulnerability notification process directly to your development team.
For information about how to integrate your ticketing system, see Jira or Trello.
For information about how to integrate your SSO application, see OneLogin, Okta, or Ping Identity.
Now that you have gone through our Program Owner Start-Up Guide, we recommend that all users who will be working within Crowdcontrol review the User Start-Up Guide.