Program Owner Start-Up Guide

To get started, sign in and familiarize yourself with the The Crowdcontrol Navbar. Using this toolbar, you will be able to navigate through the platform to access your Security Programs and Engagements and perform tasks such as assigning roles and permissions, building and managing an engagement brief, targets, and reviewing and accepting submissions.

For more information on commonly requested topics for getting started with Bugcrowd, please see the Getting Started with Bugcrowd Guide.

Step 1 - Invite team members and assigning roles

Each Crowdcontrol role provides different visibility and job responsibilities for each member of your team. You can assign an appropriate role for your team members based on the tasks you want them to perform. These roles may be adjusted at any point as needed. For information about adding new team members, see adding team members.

Step 2 - Assign a team member to monitor the Security Program

It is important to understand that while Crowdcontrol makes it easier to run a bug bounty engagement, your Security Program requires ongoing attention. We recommend having at least two Program Owners on a Security Program to ensure that if one is not available, that there’s continued coverage. Furthermore, having two people helps to ensure tasks are handled in a more expedient manner, helping build trust and partnership with the researcher community.

Step 3 - Make your organization aware of the Security Program

Running a Security Program doesn’t stop at just one person managing the day to day of the program. It’s also critical that the entire organization is aware of the Security Program, and what policies are in place across departments. You should have internal processes in place to ensure the timely processing and remediation of found issues, as well as prioritization guidelines over existing work. This will likely require working directly with multiple project owners, developers, and so on. And while it’s most important that the technical folks are well informed and directed, it’s also important that you understand the extent to which this will affect other departments. For example, marketing or sales folks should be aware of testing on public website forms, customer service folks should be prepared to field related questions, etc.

Step 4 - Review your attack surface

Before getting started, know your attack surface. Initiate extensive audits of your apps and libraries to help you understand where and how you’re vulnerable, and identify what is most important to your business. This will help you prioritize which assets you will select for testing.

Step 5 - Build your bounty engagement brief

Although Bugcrowd will assist you with this process, we always recommend you take the first step and draft the initial framework of your brief. By going to our Public Programs list you can see examples of existing briefs.

Step 6 - Import known issues

Prior to the launch of your Security Program, import all known issues into Crowdcontrol using a properly formatted CSV file. It is important for Crowdcontrol to identify these known issues to help filter any incoming duplicate submissions upon the launch of your Security Program.

Step 7 - Set up integration(s)

Crowdcontrol has the ability to integrate with a number of different applications, depending on your business needs. We recommend integrating your ticketing system and SSO (single sign-on) application first. Ticketing integration will help streamline the ‘need to fix’ vulnerability notification process directly to your development team. For information on Integrations and what applications are supported, please click here.