Adding Essentials Vulnerability Disclosure Program

A Essentials Vulnerability Disclosure Program allows you to embeded a submission form on your own website. You can accept, triage, and remediate security feedback about all internet-facing assets.

Before you create a Essentials VDP, you must have the following details:

  • Organization or company name
  • Domains to embed the submission form
  • Targets you want to specify in the program

The steps to add a Essentials VDP are:

  1. Provide a program name
  2. Review vulnerability disclosure policy
  3. Add domains where the submission form must be embedded
  4. Schedule program launch date
  5. Set targets
  6. Add payment details
  7. Review details and submit

To add a Essentials VDP:

  1. In the Select a program to launch window, click Start for Vulnerability Disclosure Program.

    select-VDP

    The Step 1: Program name page is displayed.

  2. Provide a name for your program and click Next step.

    step-1-program-name

    The Step 2: Vulnerability disclosure policy review page is displayed.

  3. Read the disclosure policy. Perform the following:

    • Change reference name in policy: Change the name of your organization in the policy. Your organization name is used by default. You can change it to a division, legal name or entity.
    • Display this vulnerability disclosure policy above form: Bugcrowd provides customers with a standard vulnerability disclosure policy outlining the researchers’ expectations and states the customers’ commitment. You can choose to display your disclosure policy or make changes to the default policy by contacting your Account Manager.
    • I want to edit this vulnerability disclosure policy: Bugcrowd can assist you with editing this policy before the program is live.

    Click Next step.

    step-2-vulnerability disclosure policy review

    The Step 3: Configure embedded form page is displayed.

  4. Click Add a domain for specifying the domains where you want the submission form to be embedded.

    step-3-configure-embedded-form

    For example, https://example.com or *.example.com.

    step-3-configure-embedded-form-

    You can add multiple domains using Add another domain.

    To delete a domain, click the Delete icon.

    step-3-configure-embedded-form-delete-domain

  5. Click Next step. The Step 4: Schedule launch page is displayed.

  6. Select the preferred launch timeline. The options are:

    • As soon as possible
    • Within a month
    • More than a month

    step-4-schedule-launch

  7. Click Next step.

    The Step 5: Set targets page is displayed.

  8. Click Add target to add public-facing targets that belong to your organization. This helps researchers to focus their efforts on finding vulnerabilities in specific targets.

    step5-set-targets

    The Add a target pop-up window is displayed.

  9. Specify the following information:

    • Name: Select a target from the drop-down menu or specify a new target.
    • Tags: Select the tags associated with the target.
    • URL/Location: Provide the complete URL for researchers to access this target. Include the URI and URL for the website, application, API, or the app store link to the mobile application. Bugcrowd’s servers will occasionally poll these targets to test connectivity and composition.
    • Category: If you select an existing target name, then the category is displayed by default. If you have specified a new target name, then select the required category:

      • Website Testing
      • API Testing
      • iOS
      • Android
      • IoT
      • Hardware Testing
      • Other

    step5-add-target-pop-up-window

  10. Click Add.

    The target is added and the Target added to the program scope message is displayed.

    step5-added-target

    If you want to edit the target details, click the edit icon in the Actions column.

    step5-edit-target

    If you want to delete a target, click the delete icon in the Actions column.

    step5-delete-target

    The following pop-up message is displayed. Click Remove.

    step5-delete-target-pop-up-message

    Targets in this list will be independently and automatically tracked.

    Select the Allow targets to be selected from embedded submission form option. Researchers can select the targets listed here in the form they use to submit vulnerabilities. This is beneficial when reviewing submitted vulnerabilities because it adds context to where the vulnerability exists.

    step-5-allow-target-selection-from-embedded-form

  11. Click Next step. The Step 6: Add Payment details page is displayed.

    You can either pay using existing credits or using a credit card.

  12. To pay using existing credits, select the I would like to use my credits to pay for this program option. A Bugcrowd representative will contact you to arrange payment using credits. When you select this option, the card details and the billing information are hidden. Only the card expiry date is displayed.

    (image to be added when feature is available in UI)

  13. To pay using a credit card, specify the following payment information:

    • Name on the card
    • Card number (saved cards will be available for selection in the drop-down list)
    • Card expiry
    • CVV

    Cards are charged in USD. This card will be stored as a funding source. Funding sources can be managed from the Accounting section. All financial information is encrypted and securely stored.

    (image to be added when feature is available in UI)

    Specify the following billing information:

    • Select the Use organization details option to pre-fill the following information from the organization details. You can change the details if required. If you do not want to pre-fill the details, then specify the information in each field.

      • First name
      • Last name
      • Company name
      • Address
      • Suburb/city
      • State/province
      • Zip/postal code
      • Country

    (image to be added when feature is available in UI)

    If you have any questions about paying and launching the program, then click Save and schedule a call for scheduling a call with Bugcrowd representative.

    (image to be added when feature is available in UI)

  14. Click Next step. The Step 6: Review and submit page is displayed. Review the information that you have provided. In case you want to modify any details, click Edit and make the changes.

    step-6-review-submit

  15. Select the I agree to be responsible effective, and engaged program owner option and click Submit.

    step-6-agree-to-be-responsible

    The Your program has been submitted for review message is displayed.

    Bugcrowd will contact you to review and launch the program.


Onboarding
Account Management
Program Management
Reporting
Submission Management
Integration Management