Adding Classic Pen Test Program

An Classic Pen test program is a fixed pay-per-project model for all your compliance needs.

On-demand pen testing in a fixed pay-per-project model, for all of your compliance needs. If you choose expedited launch, you can launch this type of program within 72 hours, and receive vulnerabilities as soon as they are uncovered.

The information you provide in these steps will define your program configuration including:

  • Program scope and rewards
  • Helping Bugcrowd identify the correct skills and experience from the crowd to make sure maximum program value.
  • Providing the ability to provision testing credentials prior to launch.

To add an On-Demand Pen Test program:

  1. In the Select an engagement to launch window, click Start for Classic Pen Test.


    The Classic Pen Test page is displayed.

  2. Read the displayed information and click Start now.


    The Step 1 of 8 page is displayed.

  3. Specify a name for the program and click Next step.


    The Step 2 of 8 page is displayed.

  4. Provide the following information:

    • How many roles are there in your application?: Indicate the total number of roles that access your application. For example, if you have an admin, viewer and analyst, the total number of roles would be 3.
    • Are there any administrator roles?: Administrator roles are users with permission to access high level configurations in your app or website. Admins can usually access and configure all sections of the application or website.


    The Step 3 of 8 page is displayed.

  5. Provide the following information:

    • Is the application publicly accessible?: Indicate whether the application is private or public.
    • Is a VPN required to access your application?: If the application requires a VPN or credentials to access, select Yes.
    • Can credentials be self-provisioned?: Self-provision credentials is the ability for researchers to create their own credentials.


    The Step 4 of 8 page is displayed.

  6. Provide the following information:

    • How many input fields does the application have?: Indicate the total number of input fields that you want to be tested in your application. Do not include file upload fields. Input fields are areas that allow the user to input data.
    • Are there file upload fields in your application?: File Upload Fields are used to provide users the ability to attach or upload files.
    • Does the application have payment functionality?: Payment functionality includes accepting, storing, processing, and transmitting cardholder data (also known as your customers’ credit card information) during a credit card transaction.


    The Step 5 of 8 page is displayed.

  7. Provide the following information:

    • Are researchers required to be from a specific country?: Requiring researchers from a specific geography significantly limits the pool of researchers you can access, and will incur premium charges for testing.


    The Step 6 of 8 page is displayed.

  8. Provide the following information:

    • Does your application require special researcher skills to complete testing?: Are there skills, languages, and technologies required to ensure a researcher can provide value to your program? We’ll match a security team that specializes in these requirements in order to ensure the success of your Classic Pen Test.


    The Step 7 of 8 page is displayed.

  9. Provide the following information:

    • Do you need retesting?: Retesting validates patches were applied successfully, preventing the reported vulnerability
    • How many reports do you need for your Classic Pentest?: We send reports upon completion of your pen test. The report contains critical information about your pen test, including technical risks, the impact of the vulnerability, and remediation options.
    • Do you need a personalized executive summary?: A personalized executive summary will summarize the key points of your reports and is usually used for high level business reporting.


    The Step 8 of 8 page is displayed.

  10. Provide the following information:

    • How many weeks do you need your final test report?: A final test report is a summary of the results of your test. We will continue to deliver reports to you during tests depending on how many reports you’ve requested in the previous step.


    The Summary page displays a preview of the specified information.

  11. Review the displayed information. If any modifications are required, click Change and update the information.


  12. Click Submit for review:

    The Classic Pen Test engagement is created message is displayed.

    Bugcrowd will contact you to review and launch the program.

Account Management
Program Management
Submission Management
Integration Management