Adding Essentials Vulnerability Disclosure Program

A Essentials Vulnerability Disclosure Program allows you to embeded a submission form on your own website. You can accept, triage, and remediate security feedback about all internet-facing assets.

Before you create a Essentials VDP, you must have the following details:

  • Organization or company name
  • Domains to embed the submission form
  • Targets you want to specify in the program

The steps to add a Essentials VDP are:

  1. Provide a program name
  2. Review vulnerability disclosure policy
  3. Add domains where the submission form must be embedded
  4. Schedule program launch date
  5. Set targets
  6. Review details and submit

To add a Essentials VDP:

  1. In the Select a program to launch window, click Start for Vulnerability Disclosure Program.

    select-VDP

    The Step 1: Program name page is displayed.

  2. Provide a name for your program and click Next step.

    step-1-program-name

    The Step 2: Vulnerability disclosure policy review page is displayed.

  3. Read the disclosure policy. Perform the following:

    • Change reference name in policy: Change the name of your organization in the policy. Your organization name is used by default. You can change it to a division, legal name or entity.
    • Display this vulnerability disclosure policy above form: Bugcrowd provides customers with a standard vulnerability disclosure policy outlining the researchers’ expectations and states the customers’ commitment. You can choose to display your disclosure policy or make changes to the default policy by contacting your Account Manager.
    • I want to edit this vulnerability disclosure policy: Bugcrowd can assist you with editing this policy before the program is live.

    Click Next step.

    step-2-vulnerability disclosure policy review

    The Step 3: Configure embedded form page is displayed.

  4. Click Add a domain for specifying the domains where you want the submission form to be embedded.

    step-3-configure-embedded-form

    For example, https://example.com or *.example.com.

    step-3-configure-embedded-form-

    You can add multiple domains using Add another domain.

    To delete a domain, click the Delete icon.

    step-3-configure-embedded-form-delete-domain

  5. Click Next step. The Step 4: Schedule launch page is displayed.

  6. Select the preferred launch timeline. The options are:

    • As soon as possible
    • Within a month
    • More than a month

    step-4-schedule-launch

  7. Click Next step.

    The Step 5: Set targets page is displayed.

  8. Click Add target to add public-facing targets that belong to your organization. This helps researchers to focus their efforts on finding vulnerabilities in specific targets.

    step5-set-targets

    The Add a target pop-up window is displayed.

  9. Specify the following information:

    • Name: Select a target from the drop-down menu or specify a new target.
    • Tags: Select the tags associated with the target.
    • URL/Location: Provide the complete URL for researchers to access this target. Include the URI and URL for the website, application, API, or the app store link to the mobile application. Bugcrowd’s servers will occasionally poll these targets to test connectivity and composition.
    • Category: If you select an existing target name, then the category is displayed by default. If you have specified a new target name, then select the required category:

      • Website Testing
      • API Testing
      • iOS
      • Android
      • IoT
      • Hardware Testing
      • Other

    step5-add-target-pop-up-window

  10. Click Add.

    The target is added and the Target added to the program scope message is displayed.

    step5-added-target

    If you want to edit the target details, click the edit icon in the Actions column.

    step5-edit-target

    If you want to delete a target, click the delete icon in the Actions column.

    step5-delete-target

    The following pop-up message is displayed. Click Remove.

    step5-delete-target-pop-up-message

    Targets in this list will be independently and automatically tracked.

    Select the Allow targets to be selected from embedded submission form option. Researchers can select the targets listed here in the form they use to submit vulnerabilities. This is beneficial when reviewing submitted vulnerabilities because it adds context to where the vulnerability exists.

    step-5-allow-target-selection-from-embedded-form

  11. Click Next step. The Step 6: Review and submit page is displayed. Review the information that you have provided. In case you want to modify any details, click Edit and make the changes.

    step-6-review-submit

  12. Select the I agree to be responsible effective, and engaged program owner option and click Submit.

    step-6-agree-to-be-responsible

    The Your program has been submitted for review message is displayed.

    Bugcrowd will contact you to review and launch the program.


Onboarding
Account Management
Program Management
Reporting
Submission Management
Integration Management