- Navigating to Program Brief
- Setting Your Brand Color and Organization Logo
- Specifying Program Name, Tagline, and Description
- Embedding Images for Description and Target Information
- Adding Target Information
- Adding Program Rewards
- Displaying Known Issues
- Requesting Safe Harbour Status
- Updating CrowdStream Settings
- Previewing Program Brief
- Saving Program Brief Information
You can specify details such as brand color, organization logo, program name, tagline, description, targets, rewards, and known issues. You can also request the safe harbor status and update the CrowdStream settings. Researchers read the Program Brief to understand the scope and purpose of the program, and view the targets that you want them to test.
See the following links for tips and tricks to write a successful Program Brief:
Navigating to Program Brief
Go to the program’s Settings tab. The Program brief page is displayed.
Setting Your Brand Color and Organization Logo
To set the brand color, in the Your brand section, click within the displayed text box (top right corner) and specify the hex value for the required color.
To change the organization logo, click on the displayed the logo and choose the new logo.
Specifying Program Name, Tagline, and Description
In the Your brief section, specify the information for the fields provided in the following table.
|Name||Descriptive name for the bounty program such as the name of your company or the application that is being tested.|
|Tagline||Short sentence that concisely describes your company, product, or bounty program.|
|Description||Details about the goal of your bounty program. To style your text, you can apply the Markdown syntax. For more information, see using markdown for formatting content.|
For the Tagline and Description examples, see public program listing.
Embedding Images for Description and Target Information
You can embed images in the Description or Target information markdown fields or attach images for clarifying the program scope to researchers. To embed images, you can drag-and-drop to the image into the field, or paste the images in the field. You can also click selecting and specify the image that you want to attach.
For more information, see embedding images section in using markdown for formatting content.
You can attach other file formats to provide additional information about the program. For the details, see uploading additional files.
Adding Target Information
A target is a Web application, mobile application, API, IoT device, hardware, or a website you want to include in your bounty program.
You can add or remove targets manually before a program is live. After the program is live, contact your Account Manager to add or remove any targets.
To specify the target information, in the Your brief section, provide information about the program scope including details about the added targets. Emphasize explicitly the in-scope targets, out-of-scope targets, focus areas, and so on. To style your text, you can apply the Markdown syntax. For more information, see using markdown for formatting content.
You can add targets in the Program scope tab. For more information about targets, see target management.
Adding Program Rewards
You can specify the payment ranges that the researchers can expect based on the technical severity of the submission. The reward amounts are applicable for valid submissions when the submission moves to the Unresolved state. Unrewarded severity categories are left blank.
To add the reward ranges, in the Reward ranges by severity section, specify the reward amount in the Low reward and High reward fields for the technical severity level. The minimum monetary reward is $20.
In the Maximum advertised reward field, specify the maximum reward (more than the highest P1 reward) that the organization will pay for an exceptional submission.
Displaying Known Issues
You can display the count of unique and duplicate vulnerabilities in the Program Brief. It includes P1 to P4 submissions in Triaged, Unresolved, Informational, and Duplicate states. To display the known issues in the Program Brief, select the Show Known Issues on program brief option.
Requesting Safe Harbour Status
To indicate safe harbor terms to researchers, you can set and view the program’s safe harbor status within Crowdcontrol.
Before requesting for the safe harbor status, make sure that you have met the following requirements for safe harbor compliance:
- Extending Safe Harbor requires the following authorization and exemptions:
- Authorization in accordance with Computer Fraud and Abuse Act (CFAA)
- Exemption from Digital Millennium Copyright Act (DMCA)
- Exemption from restrictions in Terms and Conditions that may interfere with conducting security research
- Identify all in-scope assets so that there is no ambiguity around ownership and scope
- Disclosure Policy
- Display the program’s policy to help researchers understand the program
Any program on Crowdcontrol automatically completes the following requirements:
- Whether compensation is provided for (valid and unique) issues, and the form and magnitude of that compensation
- Official Communication Channels
- Exhaustive list of the communication methods that are considered acceptable by the organization for receiving and communicating any information associated with potential vulnerabilities
- Explicit permission to complete research
After these are set, researchers can view the program’s status and filter by those with a full and partial safe harbor to make sure they are working on programs that provide them the legal measures they prefer.
For more information about safe harbor, see Disclose.io and Safe Harbor. To maintain an up-to-date bug bounty list, open a PR on Disclose.io within GitHub.
After you have met the preceding requirements, in the Program sage harbor status section, click Request safe harbor update to update the safe harbor compliance for the program.
Updating CrowdStream Settings
CrowdStream is Bugcrowd’s public activity feed and displays the activities for rewarded submissions, accepted submissions, resolved submissions, and co-ordinated disclosures. You can perform the following:
- Enable CrowdStream Visibility for Program
- Enable or disable researchers to request submission disclosure
For further information, see setting CrowdStream activity feed visibility.
Previewing Program Brief
After you have provided all the required information, click Generate brief preview.
Click Preview program brief. A preview of the updated Program Brief opens as a separate page and displays the information in the way it will appear to the researcher.
Preview Link: The preview link does not expire and may be used by anyone who retrieves this link. Anyone who has this link may participate in the bounty program, even if it is private. This link is for internal use only and should not be distributed to outside researchers.
To clear the preview link, click Clear preview link.
Saving Program Brief Information
To save the information you have provided in the various sections, click Update program. The Program Brief is updated and the researcher can view this information.