Updating the Program Brief

The Program Brief provides information about the bounty program.

You can specify details such as brand color, organization logo, program name, tagline, description, targets, rewards, and known issues. You can also request the safe harbor status and update the CrowdStream settings. Researchers read the Program Brief to understand the scope and purpose of the program, and view the targets that you want them to test.

See the following links for tips and tricks to write a successful Program Brief:

Go to the program’s Settings tab. The Program brief page is displayed.

To set the brand color, in the Your brand section, click within the displayed text box (top right corner) and specify the hex value for the required color.

brand-color

To change the organization logo, click on the displayed the logo and choose the new logo.

brand-logo

Specifying Program Name, Tagline, and Description

In the Your brief section, specify the information for the fields provided in the following table.

Field Name Description
Name Descriptive name for the bounty program such as the name of your company or the application that is being tested.
Tagline Short sentence that concisely describes your company, product, or bounty program.
Description Details about the goal of your bounty program. To style your text, you can apply the Markdown syntax. For more information, see using markdown for formatting content.

For the Tagline and Description examples, see public program listing.

tagline-description

Embedding Images for Description and Target Information

You can embed images in the Description or Target information markdown fields or attach images for clarifying the program scope to researchers. To embed images, you can drag-and-drop to the image into the field, or paste the images in the field. You can also click selecting and specify the image that you want to attach.

For more information, see embedding images section in using markdown for formatting content.

You can attach other file formats to provide additional information about the program. For the details, see uploading additional files.

Adding Target Information

A target is a Web application, mobile application, API, IoT device, hardware, or a website you want to include in your bounty program.

You can add or remove targets manually before a program is live. After the program is live, contact your Account Manager to add or remove any targets.

To specify the target information, in the Your brief section, provide information about the program scope including details about the added targets. Emphasize explicitly the in-scope targets, out-of-scope targets, focus areas, and so on. To style your text, you can apply the Markdown syntax. For more information, see using markdown for formatting content.

target-information

You can add targets in the Program scope tab. For more information about targets, see target management.

Adding Program Rewards

You can specify the payment ranges that the researchers can expect based on the technical severity of the submission. The reward amounts are applicable for valid submissions when the submission moves to the Unresolved state. Unrewarded severity categories are left blank.

To add the reward ranges, in the Reward ranges by severity section, specify the reward amount in the Low reward and High reward fields for the technical severity level. The minimum monetary reward is $20.

reward-ranges

In the Maximum advertised reward field, specify the maximum reward (more than the highest P1 reward) that the organization will pay for an exceptional submission.

max-advertised-reward

Displaying Known Issues

You can display the count of unique and duplicate vulnerabilities in the Program Brief. It includes P1 to P4 submissions in Triaged, Unresolved, Informational, and Duplicate states. To display the known issues in the Program Brief, select the Show Known Issues on program brief option.

known-issues

Requesting Safe Harbour Status

To indicate safe harbor terms to researchers, you can set and view the program’s safe harbor status within Crowdcontrol.

Before requesting for the safe harbor status, make sure that you have met the following requirements for safe harbor compliance:

  • Extending Safe Harbor requires the following authorization and exemptions:
    • Authorization in accordance with Computer Fraud and Abuse Act (CFAA)
    • Exemption from Digital Millennium Copyright Act (DMCA)
    • Exemption from restrictions in Terms and Conditions that may interfere with conducting security research
  • Scope
    • Identify all in-scope assets so that there is no ambiguity around ownership and scope
  • Disclosure Policy
    • Display the program’s policy to help researchers understand the program

Any program on Crowdcontrol automatically completes the following requirements:

  • Rewards
    • Whether compensation is provided for (valid and unique) issues, and the form and magnitude of that compensation
  • Official Communication Channels
    • Exhaustive list of the communication methods that are considered acceptable by the organization for receiving and communicating any information associated with potential vulnerabilities
  • Explicit permission to complete research

After these are set, researchers can view the program’s status and filter by those with a full and partial safe harbor to make sure they are working on programs that provide them the legal measures they prefer.

For more information about safe harbor, see Disclose.io and Safe Harbor. To maintain an up-to-date bug bounty list, open a PR on Disclose.io within GitHub.

After you have met the preceding requirements, in the Program sage harbor status section, click Request safe harbor update to update the safe harbor compliance for the program.

request-safe-harbor-update

Updating CrowdStream Settings

CrowdStream is Bugcrowd’s public activity feed and displays the activities for rewarded submissions, accepted submissions, resolved submissions, and co-ordinated disclosures. You can perform the following:

  • Enable CrowdStream Visibility for Program
  • Enable or disable researchers to request submission disclosure

For further information, see setting CrowdStream activity feed visibility.

Previewing Program Brief

After you have provided all the required information, click Generate brief preview.

generate-brief-preview

Click Preview program brief. A preview of the updated Program Brief opens as a separate page and displays the information in the way it will appear to the researcher.

Preview Link: The preview link does not expire and may be used by anyone who retrieves this link. Anyone who has this link may participate in the bounty program, even if it is private. This link is for internal use only and should not be distributed to outside researchers.

preview-brief

To clear the preview link, click Clear preview link.

clear-preview

Saving Program Brief Information

To save the information you have provided in the various sections, click Update program. The Program Brief is updated and the researcher can view this information.