[ { "title" : "Customer Changelog", "category" : "customer", "tags" : "", "url" : "/customers/changelog/", "date" : "", "content" : "Subscribe to updates at https://docs.bugcrowd.com/feed/changelogs/customer.xml. Sep 9th, 2020 New Documentation Site Improved Design and Search at the same location https://docs.bugcrowd.com Added Atom Feed Sep 1st, 2020 API Token usage Added Visibility into usage of API tokens across the team Aug 22nd, 2020 Inviting Researchers Added Customers can invite researchers Jul 30th, 2020 Viewing NDA Compliance Status Added Compliance Status on Researcher Page Improved SSO Domain Validation no longer identifies Bugcrowd A submission’s disclosure policy is defined based on when the submission was submitted Apr 16th, 2020 Attack Surface Management Asset Inventory - Dashboards and other updates Added New features in Attack Surface Management:Asset Inventory - Dashboards and other updates Mar 31st, 2020 New features in Attack Surface Management - Asset Inventory Added New features in Attack Surface Management - Asset Inventory Mar 28th, 2020 Self-Service Program Initiation Now Available Added Adding new engagement Mar 25th, 2020 Customer On-call Person Added Customer On-call person On-Demand Programs require a Max and Min for reward levels Updated On-Demand Programs require a Max and Min for reward levels Mar 5th, 2020 Slack Integration Notification for Blockers Added Slack integration notification on Blockers Disclosure enabled by default for new programs Improved Notifications for external researchers ADA compliance of external submission form Manage assignment and Custom fields when On-Demand programs are running Dec 20th, 2019 CrowdStream and Coordinated Disclosure Added Setting CrowdStream activity feed visibility Managing disclosure request Priority Percentile to understand Researcher’s performance Nov 29th, 2019 IBM Resilient Integration Added IBM Resilient Filter submissions using custom fields Oct 23rd, 2019 Program Announcements Added Program announcements Bugcrowd’s Slack Integration is now available in the Slack App Directory Bugcrowd’s Jira Integration is now available in the Atlassian Marketplace Improved Additional search filters within Submission API Aug 21st, 2019 Filtering Customer Blockers Added Submission Preset Queries Jira Issue Creation from New to Triaged Aug 13th, 2019 Customer Blockers Added Create blockers Report researcher incidents Improved Known issue sharing shows vulnerabilities across targets on multiple programs May 8th, 2019 Public Program Credential Support and Improved Target Management Improved Public Programs can now support credentials Edit targets in program settings Added Callout for customers when program is about to launch or has recently launched May 3rd, 2019 Safe Harbor Added Display customer’s Safe Harbor status within their brief Apr 11th, 2019 Image Embeds Added Customer Image Embed Settings Apr 10th, 2019 Retesting Update Added Retesting platform support Apr 2nd, 2019 Program Search Launched Improved Renamed Additional Fields tab to Fields and Settings Renamed Known Issues tab to Import Issues Mar 20th, 2019 Integration Updates Improved Jira authentication is now available via OAuth for both Cloud and Server Added ServiceNow integration Mar 15th, 2019 Updating to VRT 1.7 Added Automative Security Misconfiguration category Sensitive Data Exposure &gt; Weak Password Reset Implementation &gt; Token Leakage via Host Header Poisoning as a new P2 variant, which is consistent with how this issue has been triaged by Bugcrowd’s Application Security Engineers so far. Two new P4’s related to 2FA Secret Management Improved Remediation Advice links to latest OWASP Documentation Feb 20th, 2019 GitHub Integration Added GitHub Integration Feb 16th, 2019 Customer Avatar Added Changing Your Profile Avatar Feb 16th, 2019 Comparison Operators for Dates Improved Tokenized date search Feb 16th, 2019 Bugcrowd mention Improved Direct comment to user with triage team Dec 18th, 2018 Updated Standard Disclosure Terms Improved Standard Disclosure Terms Dec 18th, 2018 File Support Update Improved Platform supports 100MB for all file uploads Dec 18th, 2018 Application Security Engineer Listed Added Application Security Engineer listed Nov 14th, 2018 Updating to VRT 1.6 Improved VRT 1.6 Nov 1st, 2018 Add Reward Update Added Add Reward Range Oct 30th, 2018 2FA Check Feature Oct 27th, 2018 Updating to VRT 1.5 Improved VRT 1.5 Known issue P5s Oct 3rd, 2018 Enhancements Made to Jira Integrations Added Automatically Push Submission Comments into Jira Map VRT to fields within Jira Map a Submission’s UUID to fields wthin Jira Sep 24th, 2018 Crowdcontrol Improves Adjusted Payment Workflow Added Adjusting mistaken rewards workflow updated:Customers can send mail to support@bugcrowd.com. Sep 22nd, 2018 Minor Tokenized Search Bugs Fixed Fixed Duplicate query values no longer appear in tokenized search Tokenized search issues with dates Sep 19th, 2018 Improvements Made to Boost Submission Workflow Efficiency Added Submission Blockers Use multiple sorting criteria for tokenized search Improved Edit Submission Field Aug 16th, 2018 Improved SDLC and Remediation Support Improved Jira Integration Supports Comments Downloadable CSV Report Includes Remediation Advice Aug 16th, 2018 Crowdcontrol Usability More Intuitive Improved Edit multiple fields on a single submission at one time Added Identify Bugcrowd employees in activity feeds with a new icon identifier Aug 8th, 2018 Hacker Education with Bugcrowd University Added Bugcrowd University Jul 11th, 2018 Improved Platform Usability Improved Tokenized search Known Issue Sharing displays Won't Fix Program code can now have hyphens Push to Jira button now gives instant feedback Fixed Sorting researchers within Crowdcontrol by last submitted Jul 3rd, 2018 Advanced Crowdcontrol UX Added Unique Avatars - distinct default avatars to easily identify users. (Customer Hover over avatar to show a user’s email address. Highlight recently updated on the Programs page Indication on customer’s programs page which programs are demos. Leveraging program or user images for unfurling. Improved Use Crowdcontrol on the go, now with a responsive navigation bar. Change states without needing to dismiss thanks to notifications shown below the customer state dropdown. Jul 2nd, 2018 Enhanced Security Tracking Capability Added Security Event Log Jun 21st, 2018 Multiple Jira Project Support &amp; Flexible Jira Sync Improved Jira Advanced Field Configuration Added Jira Multi-Project Support Jun 19th, 2018 Updating to VRT 1.4 Improved VRT v1.4 is shipped. Apr 21st, 2018 Enhance Program Metrics Fixed Transaction Times within insights take into account skipped states Validation Time within the Bounty Brief takes into account submissions that have not been validated yet Improved Bounty average payouts only include first to find, P1-4 payouts Apr 17th, 2018 Heightened Platform Security and Usability Added Remove timeout, instead using re-authentication prompts. Interactive Session Management UI Improved Added SSO indicators for authentications within the Session Management interface. Apr 17th, 2018 Crowdcontrol Increases Visibility Added Known Issue Sharing View change log Feb 16th, 2018 New Crowdcontrol Enhancements Add Improved Platform Efficiencies Added Search by Custom Fields with the Submission Search Bar Pick-list support within Jira integration Search result number count when using the Submission Search Bar Insights filter toggle - offering a clean display for sharing data on TVs Improved Tailored experience with new notification settings Page design refreshes on the Rewards page Jan 17th, 2018 Improved Program Performance Tracking and Platform Efficiency Improved Program performance metric to Program Page (Time to Validation) VRT Categories to Tokenized Search [Customer] Customers can “read” credentials if enabled on their program Dec 22nd, 2017 Enhanced Security &amp; Improved Functionality Offer Seamless Usability Added Platform Security – Implemented CSP protections Drag and drop to sort the order of targets on your bounty brief Filter by the Submitted Date (Tokenized Search) Nov 22nd, 2017 New Submission Search Bar and Filtering Added Search bar has been launched within Crowcontrol Improved Known issue import no longer requires submitted_at to be set, defaulting to the current time. Text search within Crowdcontrol is now more accurate in filtering for exactly what you search for, no longer trying to handle misspellings. Oct 19th, 2017 Improved Efficiency with CVSS and Notifications Added CVSS scores get backfilled based on VRT after enabled on a program Easy to track email notifications now with threading grouped by submissions are delivered as a thread within email clients Oct 10th, 2017 Added CVSS Calculator Added Organizations can manage submission severity with CVSS v3 Oct 4th, 2017 Introducing VRT 1.3 Improved VRT v1.3 is shipped Sep 26th, 2017 New Notification Management and Downloadable Data Added View and manage your notifications all from the new notifications page. Download CSV of reward data from Crowdcontrol. Sep 22nd, 2017 New Embedded Submission Form Added Use the Embedded Submission Form integration to integrate a submission form from your own website rather than through Bugcrowd. Sep 15th, 2017 Improved Notifications Improved Viewing unread notifications automatically marks them as read Sep 6th, 2017 Seamless Crowdcontrol Quick Search Added Enable syntax highlighting in your fenced code blocks when writing or commenting on a submission. Use Quick Search to find exactly what you’re looking for in Crowdcontrol. Sep 1st, 2017 Advanced API Documentation Added New API docs are available. created_at DateTime within the Comment Object Aug 11th, 2017 VRT 1.2, Improved Functionality, and New Integration Added Attach a file to comments within Crowdcontrol. Import known issues found in Qualys WAS scans into Crowdcontrol Improved v1.2 of the VRT is available Custom fields now support up to 2048 characters. Aug 1st, 2017 Slack Integration Added Slack integration is now available Jul 26th, 2017 VRT Goes Open Source Added The VRT gem is now open sourced. Jul 17th, 2017 Enhanced Reporting Improved Rewards are now listed in the order in which they were rewarded. Added CSV exports of submissions now include information about the target (name and category) and the source of the submission. Jul 13th, 2017 Simplified Workflow and Improved Filtering Added source filters are now available in Insights. Switching between programs now takes you to the same page in the selected program. Jul 6th, 2017 Improved Clarity and Workflow Added Researchers can now upload an attachment to a comment New and Triaged submissions can be auto-assigned to a team member. Jun 27th, 2017 Print a Submission Added Individual submissions can now be printed within Crowdcontrol Jun 23rd, 2017 Improved Security and Transparency Improved Password entropy validation will be performed on any page where a password can be changed. Public program response metrics for a program can now be viewed without logging in to the platform. P5 submissions can now be viewed and filtered in Insights. " } , { "title" : "Program Owner Start-Up Guide", "category" : "customer", "tags" : "onboarding", "url" : "/customers/getting-started/owner-guide/", "date" : "", "content" : "To get started, sign in and familiarize yourself with the The Crowdcontrol Navbar. Using this toolbar, you will be able to navigate through the platform to perform tasks such as adding new team members, updating the Program Brief, and managing the Submissions Page.Step 1 - Invite team members to the programEach Crowdcontrol role provides different visibility and job responsibilities for each member of your team. You can assign your team members the appropriate role based on the tasks you want them to perform. These roles may be adjusted at any point in time during your program.To invite someone to a program, go to Program Settings &gt; Manage team and click the Invite a team member button.Step 2 - Assign a team member to monitor the programIt is important to understand that although Crowdcontrol makes it easier to run a bug bounty, your program requires consistent attention. Having at least one individual on your security team assigned to monitor the program is highly recommended. Running a bug bounty program is not the same as turning on a generic scanner whose results can be ignored until there’s time to address them or a penetration test which delivers results on a predetermined date. Neglecting researcher submissions will do you no favors, and will undermine the potential success of your program.Step 3 - Make your organization aware of the programRunning a bounty program doesn’t stop at that one person who’s been managing the day to day of the program. It’s also critical that the entire organization is aware of the bounty program, and policies are in place across departments.You should have processes in place to ensure the timely processing and remediation of found issues, as well as prioritization guidelines over existing work. This will likely require working directly with multiple project owners, developers, and so on. And while it’s most important that the technical folks are well informed and directed, it’s also important that you understand the extent to which this will affect other departments. For example, marketing or sales folks should be aware of testing on public website forms, customer service folks should be prepared to field related questions, etc.More Info: For more info on this topic, review the process of the Bug Bounty Lifecycle.Step 4 - Review your attack surfaceBefore getting started, know your attack surface. Initiate extensive audits of your apps and libraries to help you understand where and how you’re vulnerable, and identify what is most important to your business.Step 5 - Build your bounty program briefAlthough Bugcrowd will assist you with this process, we always recommend you take the first step in building the initial framework of your bounty brief. By going to our Public Programs list you can see examples of bounty briefs. To edit your brief, navigate to the Settings tab on the Crowdcontrol toolbar.More info on building a great bounty brief: The Anatomy of a Bounty Brief Creating a Scope Defining ExclusionsStep 6 - Import known issuesPrior to the launch of your program, import all known issues into Crowdcontrol using a properly formatted CSV file. It is important for Crowdcontrol to identify these known issues to help filter any incoming duplicate submissions upon the launch of your program.More Info: To learn more about importing known issues, review the Known Issues Imports page.Step 7 - Set up integrationCrowdcontrol has the ability to integrate with a number of different applications, depending on your business needs. We recommend integrating your ticketing system and SSO (single sign-on) application first. Ticketing integration will help streamline the ‘need to fix’ vulnerability notification process directly to your development team.For information about how to integrate your ticketing system, see Jira or Trello.For information about how to integrate your SSO application, see OneLogin, Okta, or Ping Identity.Now that you have gone through our Program Owner Start-Up Guide, we recommend that all users who will be working within Crowdcontrol review the User Start-Up Guide." } , { "title" : "The Crowdcontrol Navbar", "category" : "customer", "tags" : "onboarding", "url" : "/customers/getting-started/the-crowdcontrol-toolbar/", "date" : "", "content" : "Below is a brief explanation of the functionality of each tab on the toolbar. Call-out Name Description 1 Home Go back to the Home page at any time to view all of your programs. 2 Programs List Quickly navigate to or search for other programs. 3 Summary See the most recent activity in your program and your assigned submissions. 4 Submissions View and manage all submissions for the program. 5 Researchers View researchers who have submissions and are participating in the program. 6 Rewards View reward amounts and trends for the program. 7 Insights Build a report to better understand how well your program is doing. 8 Program Settings Create your bounty brief, set up integrations, set your program scope, manage your team, and import known issues. 9 Notifications View notifications for all programs. 10 Profile and Organization Settings Manage your organization’s settings, such as your team, SSO settings, and targets or manage your account settings, such as 2FA, notifications, and personal details. Account and Organization SettingsFrom your avatar, you can access your account and organization settings, which are grouped accordingly.Your account settings allow you to manage anything that is specific to you and your personal account, such as your email, notifications, API credentials, and account security. Organization settings, on the other hand, let you manage anything that is related to your organization as a whole, such as the admins, targets, authentication methods, and domains for your company.NotificationsThe notifications icon alerts you when something need your attention or when an action is taken on a vulnerability submission that you are involved. Clicking on the icon takes you to the Notifications page.To manage your notification setting, see manage notifications." } , { "title" : "The Home Page", "category" : "customer", "tags" : "onboarding", "url" : "/customers/getting-started/the-dashboard-page/", "date" : "", "content" : "If you are running multiple programs, the program dashboard is the first page that appears after you log in to Crowdcontrol.The program dashboard allow you to see a high level what programs have submission activity. To access a specific program, click on the program you want to go into.After you select a program, you’ll be taken to the program page, which helps you keep track of submissions that you are assigned, following, or engaged in the program. The dashboard comprises of three main areas: the submissions’ status, recent activity stream, and assigned submissions stream.Viewing Processing, To Review, To Fix, and Fixed SubmissionsThe dashboard displays a snapshot of the submissions in the bounty program. At a high-level, you can quickly monitor the workflow stages of all submissions based on the next actionable step that needs to take place. For example, a submission in the Processing stage is NEW submissions that are waiting to be triaged and validated by a Bugcrowd application security engineer. Stage Status Details Processing New These are new, incoming submissions that are waiting to be triaged and validated by a Bugcrowd application security engineer. To Review Triaged These submission have been triaged and validated by a Bugcrowd application security engineer and are awaiting review and validation by the customer’s security team. To Fix Unresolved These submission have been accepted by the customer as a vulnerability that needs to be fixed. At this time the customers development team has been tasked to fix the issue but it is yet to be patched. Fixed Resolved These submissions have been fixed by the customer and marked as a resolved submission in Crowdcontrol. To view the submission status inbox for a particular status, click on one of the following stages below.Viewing the Recent Activity StreamThe Recent Activity stream lets you stay up to date on the most recent activity in the program, such as comments that have been added to a submission, submission statuses that have been changed, and rewards that have been given out.To help you identify researchers in the activity feed, rewards, and submission comments, Bugcrowd will automatically generate and assign researchers who have not uploaded a profile photo a unique avatar. This allows you to quickly track and differentiate between certain users.Viewing Assigned SubmissionsThe assigned submissions section lets you quickly view and navigate to the submissions that you are currently assigned." } , { "title" : "The Researchers Page", "category" : "customer", "tags" : "onboarding", "url" : "/customers/getting-started/the-researchers-page/", "date" : "", "content" : "The Researchers Page provides data that you can use to obtain an insight into the submissions that have been submitted for your program. You can view the following: Total number of researchers who were invited for the program Total number of researchers who submitted submissions for the program Total number of submissions Total number of valid submissions Participating researchersFor each researcher, you can view the following: Researcher name Priority percentile Number of valid submissions Total number of submissions Date when the researcher last submitted the submissions Compliance requirements status - When researcher has signed the NDA, the status is Signed Documents. After Bugcrowd has approved the NDA, the status changes to Signed Documents with a green mark.Similarly, if the researcher has enabled two-factor authentication as part of compliance requirement for a program, you can view the same in the program &gt; Settings &gt; Manage Team tab.To view the priority percentile for a researcher, hover on the pentagon icon to display a graph of the priority percentiles in relation to other researchers. For more information about priority percentile, see priority percentile section in researcher profile.Click the researcher name to view the researcher profile. For more information about researcher profile, see researcher profile." } , { "title" : "The Rewards Page", "category" : "customer", "tags" : "onboarding", "url" : "/customers/getting-started/the-rewards-page/", "date" : "", "content" : "All team roles can access the Rewards page.From the Rewards Page, you can do the following things: Graph the payment data over a period of time. View the total number of rewards paid out by the program. View the highest reward amount that has been paid to a researcher. Identify the average reward amount. Find out how much money you have left in the bounty program. View a list of researchers who have received a reward. Filter the data in the graph to show payment trends over 7 days, 14 days, 30 days, and all time. Export the data in the “Rewards History” table as a CSV file.The Payment GraphThe Payout graph lets you view the total amount of payouts over a period of 7 days, 14 days, 30 days, 60 days or all time. You can use the filters control the scope of data in the graph.Program Payout StatsYou can view the payout stats to determine the highest amount that has been paid to a submission, the average payout amount, and the total amount of money left in the bounty program.The Average Reward statistic does not include any tips paid to a researcher. A tip is not included as part of a standard payout if: They are paid out in a points-only program. They are paid out on top of a reward that has already been paid. They are paid out on submissions that have been rejected because they are duplicates or not applicable. They are paid out on submissions that do not have a suggested reward amount, such as submissions that are P5.The Reward HistoryThe Reward History displays all submissions that you have rewarded for the program.Exporting a CSV of Rewards DataTo export a CSV of the information in your Reward History table, click Download CSV.The exported data will include: The reference number associated with a bug report The amount that was paid to the researcher The title of the bug report The date and time the bug was submitted The researcher who submitted the report" } , { "title" : "The Submissions Page", "category" : "customer", "tags" : "onboarding", "url" : "/customers/getting-started/the-submissions-page/", "date" : "", "content" : "From the Submissions page, you can perform the following tasks: Search and filter submissions based on status and assignee Set the status for a submission Reward a submission Set the priority for a submission Assign a submission to someone in your organization Subscribe to a submission to get updates View a submission’s details Reply to the researcher regarding a particular submission View priority percentileRole Requirements for Viewing and Managing Submissions: Your role in the organization determines your level of interaction with a submission.Submission InboxThe Submissions Inbox lists all submissions on the left hand side of the screen. You can click on any submission to view its details.The submissions filter lets you narrow the list of submissions down based on a set of criteria. To learn how to build a filter query, see filtering submissions.Submission Details and Activity StreamThe Details and Activity Stream displays the information for the submission you currently have selected in the Submission Inbox. You can review the details to learn what the bug is and how the researcher discovered it. Below the details, you can view the activity, which includes comments and historical events, for the submission.Read more about the submission details and activity stream.Submission SettingsThe Submission settings displays all of the tasks that you can perform for a submission, which includes the following tasks: Change a submission priority Reward a submission Assign a submission Subscribe to a submissionAdd RewardThe Add Reward shares when a suggested reward amount differs from the range currently in the program settings. If the range changes, researchers can still expect to be paid according to what was advertised at the time they created their submissions." } , { "title" : "User Start-Up Guide", "category" : "customer", "tags" : "onboarding", "url" : "/customers/getting-started/user-guide/", "date" : "", "content" : "As a daily user, your main focus will be to manage the lifecycle of a vulnerability submission, from the time it is triaged and validated, to when your team approves the vulnerability, passes it to your development team, and rewards the researcher. Depending on the size of your security team and your role, your responsibilities during this process may vary. Whether you manage one step of this process, or the entire thing, all submission engagement will exist on the Submissions page. This is where most of your time will be spent.1. Receive NotificationOnce a vulnerability has been submitted to the program, a notification message will be sent to your email as well as to your Notification Inbox within Crowdcontrol. Notification alerts may be adjusted to your personal preference. For more information, see managing notifications to learn how to change your notification settings.2. Evaluate VulnerabilityOnce the vulnerability has been triaged and validated by Bugcrowd, you will need to evaluate the submission to determine who on your team is best suited to further validate and approve this bug. Assign the appropriate team member using the Assignee tool in the right hand column of the Submissions page.3. Validate VulnerabilityReview the vulnerability report - use the information provided within the submission details to validate and give final approval to the submission. If the report is missing any information, contact the researcher directly using the reply to message box below the report. To get a second opinion, leave a note, or include a team member in this process by using the leave a team note message box below the report. For more information, see commenting submission.4. Approve VulnerabilityAfter validating the vulnerability, confirm the bug’s priority level on the right hand side. Move the submission to an unresolved state once you recreated and validated the vulnerability. An unresolved submission indicates that this vulnerability needs to be fixed. To do this, use the drop down arrow in the right hand corner and select unresolved. If integrated, your ticketing system will send a ticket notifying your development team.5. Reward VulnerabilityA pop-up reward box will appear with a market rate payout suggestion based on the priority of the vulnerability and your organization’s security maturity. The final reward amount may be manually adjusted accordingly. Take into consideration the organizational impact of the target to determine an increase in payout. Click Submit to reward the researcher.Determining the right reward: Take a look at Bugcrowd’s VRT (Vulnerability Rating Taxonomy) and DVPM (Defense Vulnerability Pricing Model) to better understand the science behind prioritizing and paying out vulnerabilities." } , { "title" : "Welcome", "category" : "customer", "tags" : "onboarding", "url" : "/customers/getting-started/welcome/", "date" : "", "content" : "This site contains information about product setup, usage, system administration, and user management for Crowdcontrol.If you are a new program owner starting your very first program with Bugcrowd, see owner’s guide.If you have received an invitation to Crowdcontrol as a new user, see user’s guide.To help get you started, view the following sections: The Crowdcontrol Navbar The Dashboard Page The Submissions Page Changing Bounty Programs Understanding Roles and PermissionsIf you need help with a particular topic, you can search for it by keyword.Click the search icon in the top bar. The Search Documentation text box is displayed.Type a keyword to display the relevant topics.For general product education, you can explore topics listed on the left.Stay up to date with Crowdcontrol updates by viewing the changelog.If you cannot find the answer to your question here, send an email to support@bugcrowd.com." } , { "title" : "Getting Started with Bugcrowd | FAQs", "category" : "customer", "tags" : "onboarding", "url" : "/customers/getting-started/with-bugcrowd/", "date" : "", "content" : "Welcome! This page shares frequent requested details.Recurring ThemesAs you go through this doc, you’ll note a few recurring themes that tend to come up fairly often, namely:1. How to work with ResearchersPlease be mindful that Researchers have a choice about how to spend their time and effort. When building and managing your program, ask yourself whether you would enjoy working under the circumstances you have set for Researchers. If you have questions about how to foster a strong relationship with your researchers, read on!2. Your role in a Managed ServiceBugcrowd’s managed services are designed to reduce the amount of resources and time you have to expend on your program; that said, it’s still important to understand the role you play in ensuring continual program growth and success. Our team is skilled in understanding the levers of program health, and will periodically advise when further actions or decisions are needed on your part. The more proactive you are during this process, the more likely you are to see better results from the program as a whole.3. Data-based decisionsBugcrowd has run over 500 managed programs to date, which has helped us amass a hefty repository of program success metrics. Please understand that all of the advice outlined in this document is based in our deep understanding of how to effectively manage outstanding programs for our customers.Some definitionsCrowdcontrol is the official name of Bugcrowd’s platform that can be found at https://tracker.bugcrowd.com/. This portal is where you’ll setup and manage your program on Bugcrowd.The Program Brief is a single page, researcher-facing document that contains all the relevant information regarding your bounty program (what’s in/out of scope, rewards, how submissions will be rated, instructions for accessing or testing the application, etc). For examples of current public bounty briefs, visit https://bugcrowd.com/programs. After the initial kickoff call with your Solutions Architect, we’ll work with your team to create a concise and effective program brief.Bugcrowd’s Vulnerability Rating Taxonomy, or VRT, is the basis by which we rate the technical impact of findings, and thereby assign relative priorities that range between critical (P1 - highest reward), to informational (P5 - no reward). Prior to launching any program, it’s important to familiarize yourself with this taxonomy, which can be found at https://bugcrowd.com/vrt, as your organization may have different preferences regarding the prioritization or rating of particular vulnerability types. This taxonomy may be modified to your individual needs as you see fit – be sure to discuss any deviations with your Solutions Architect, as well as documenting those changes on your bounty brief.Process for launching your program1. The people you’ll be working with Solutions Architect (SA) - Your technical point of contact who will cover scoping out the program, as well as helping build the Program Brief. They will be the primary point of contact during the setup period, and will re-engage for any future technical questions. Account Manager (AM) - After the program is live, the day-to-day communication and regular check-ins will be managed by the AM. They’ll work collaboratively with you and your team to the grow and mature the program over time. The Account Manager is also responsible for the renewal and most contract related topics. Application Security Engineer (ASE) - This is the person who will be triaging all the inbound findings into your program - most Program Owners work very closely with their ASEs, and if you have any questions regarding submissions, they’ll typically be answered by the ASE directly on the submission itself via comments. Sometimes there will be multiple ASEs on a single program. 2. The timeline for going live Day 0: Introductions via email + setting up a kickoff call. Day 1 - 3: Kickoff call between yourself + your Solutions Architect Program scope/expectations, as well as a tentative/targeted launch date will be covered during this conversation. Day 3 -7: Collecting/setting up any outstanding action items as a result of the kickoff call. Day 5 - 7: All things collected and in-hand one week prior to the targeted launch date, Bugcrowd will confirm the launch, and organize a platform walkthrough. Day 10-12: Program launch + platform walkthrough call + scheduling a post-launch sync for one week after launch. Day 15 - 17: Post-launch sync to discuss program adjustments, learnings, growth plan, and re-introducing the Account Manager who will be the primary point of contact going forward.If it hasn’t happened already, shortly after purchasing Bugcrowd, you’ll be introduced to your Solutions Architect by either your Account Executive or other member of your account team.Bugcrowd’s triage SLOsBugcrowd maintains the following SLOs: Any P1 (critical) issues will be actioned within one business day (and if valid, will be escalated to the client). Our ASE will action any new submissions within three business days (note that actioning a submission does not imply that it will be triaged, as sometimes the action that’s needed is to get more information from the researcher, etc).All of the above are offered in the context of standard business hours for Pacific Time Zone (e.g. Monday-Friday, 9am-5pm); and company/Federal Holidays are explicitly excluded from any SLO time period.We ask customers to maintain the following SLOs: Accept triaged submissions within seven days of being moved to ‘triaged’ by the Bugcrowd team. If you expect it to take longer than one week for a submission to be accepted, please leave a status update in the form of a comment to the researcher - this enables them to plan their time accordingly, etc. Please be aware that lengthy delays in accepting submissions is heavily correlated with diminished researcher participation, and lower total volume over time.Pro-tip: It’s a good idea to have at least two program owners on any given program - doing so ensures that if one is not available, that there’s coverage. Furthermore, having two persons also ensures items get handled in a more expedient manner.Promoting a program successfullyWe recommend starting with this blog post: https://www.bugcrowd.com/blog/5-tips-and-tricks-for-running-a-successful-bug-bounty-program/. We also recommend keeping FRUIT in mind. FRUIT is an acronym that highlights some core characteristics of an effective Program Owner. An effective Program Owner is: Fair - Executing on the expectations set on the program brief, and rewarding researchers for their effort. Remember that your bounty brief is essentially a contract between your organization and the researchers, and it is ultimately your responsibility to ensure that the content accurately reflects the information you want to be conveyed to researchers. Responsive - Rewarding findings in a timely fashion (ideally, never more than seven days), and quickly responding to any questions from Bugcrowd or the researchers. Lengthy response times jeopardize researcher goodwill and interest in participating. As noted in the customer SLO section, we highly recommend having at least two program owners to helps ensure continuity. Understanding - Recognizing that researchers are here to help. Treat them with the same respect that you would if they were an extension of your own team- because they are! Invested - Doing what it takes to make a program successful - whether that means getting more credentials, increasing rewards, sharing changelogs, or increasing the scope. Our most successful programs are led by deeply invested Program Owners. An additional corollary to this point is to recognize that we want researchers to find vulnerabilities! Creating an environment that is conducive to this goal means being open to working with your Account Manager on broadening access to more parts of your target for testing purposes. Transparent - Being clear and honest with researchers. If something is downgraded or not an issue, offering a full and clear explanation helps the Researcher to appropriately refocus their efforts. For programs with reward ranges, it’s invaluable to provide extensive detail about submission types that map to each reward band. Expectations from a program over timeYour program will need to grow over time. “Set-and-forget” is not a phrase that applies to any successful program. Running a program requires continual investment and involvement. We’re well versed in adjusting as needed to promote optimum results, so we only ask that you be an active participant in this process.Relationships are everythingFew things are more impactful to your program than the relationships you have with the people who make it a success; namely, the researchers themselves, the ASEs who work on your program, and your account team at Bugcrowd. Like your own team of engineers, Researchers want to be assured that their efforts have impact. Those who understand their role in the SDLC are far more likely to continue focusing their efforts on your program - going deeper than others, and coming back for more over time. The relationships you build here will pay dividends well into the future (remember: we want to help researchers find issues). Furthermore, collaboratively working with your Bugcrowd team (ASE/AM/etc) will help us help you have the best possible program.Crawl, walk, runWe guide all programs according to a crawl, walk, run model. This means that no program starts with hundreds or thousands of researchers - though, where possible, that’s certainly where we’d like to end up. We take scaling effectively, seriously, and want to ensure solid foundations and mechanics first. To this end, all programs, even the most advanced, start as relatively small private programs, and we ramp them (at varying speeds) towards whatever the desired final state is.Controlling the ebb and flow of Researcher ActivityMost programs experience the highest level of researcher activity during the first few weeks. As such, this period is a critical time to demonstrate to researchers your level of involvement. Many researchers will report one bug, gauge the experience with the Program Owner, and then make a determination as to whether or not they will continue with the program.Three leversAs the program goes on, and the low hanging fruit is picked clean, we look to three primary levers to ensure continued value: a) Reward levels; b) Number of researchers; and c) Program scope (as well as sharing what’s been changed/updated in relation to the target). Our team is experienced in identifying which to push, and when, in order to promote success as your program matures.Going publicSometime after demonstrating success with a Private program, your Account Manager may recommend taking the program Public in order to continue to recruit new and varied Researcher involvement. This will involve opening your program to the broader Bugcrowd Researcher community - more eyes on your program equates to more available skills, and subsequently better results This is the fundamental tenet of crowdsourced security - five will always find more than two, fifty will find more than five, and five hundred - well you get it…Reframing your program’s purposeOver an extended period of time, as vulnerabilities are surfaced and remediated, we expect a reduction in the number of submissions. Hopefully your team will have also experienced positive changes in workflow, remediation practices, your relationship with the Development team, and perhaps their best practices as well. All of these factors contribute to reducing risk and thus overall program submissions. At this point it’s important to reframe the role your program will play in your broader success plan. Where previously the program may have served as a primary identifier of issues, over time it may shift down the line of defense and find its greatest value as a place for persons to responsibly disclose issues as they sporadically arise.What to do if you run out of money in your reward poolIf you happen to run low or out of funding for your program, contact your account team (e.g. your AM) to request a purchase order for an additional amount of your specification.Your team may also reach out if your program dips below a certain threshold to proactively get your pool replenished.Some quick links/resources to getting startedThe following will help you become acquainted with the Crowdcontrol platform: Where to login to Crowdcontrol: https://tracker.bugcrowd.com/ How to setup the Jira integration (if applicable) How to setup SSO (if applicable) Information regarding notifications settings How to import known/pre-existing issues How to add/remove users on the platform How to update the program briefOnce your program is liveOnce your program is up and running, you should be prepared to start receiving submissions. For reference, here’s a brief overview of the general submission workflow.1. Researcher SubmitsA new submission is submitted, represented as the “new” state, and shown as the “processing” tab on the submissions page.2. ASE TriageA Bugcrowd Application Security Engineer (ASE) reviews the submission and verifies that it is valid, replicable, in-scope, and not a duplicate.If the ASE has a question for you (the client) that needs resolution before they can triage the finding (e.g. “is this intended functionality”), they’ll identify it via a blocker. For more information about blockers, see submission blockers, and can check for blockers that need your attention by visiting this URL: https://tracker.bugcrowd.com/&lt;program-code&gt;/submissions?blocked_by[]=customer3. ASE moves submission to be reviewedIf all these criteria are met, the ASE assigns a priority to the submission based on the pre-defined rating system/taxonomy and moves the submission into the triaged state (which is shown as “to review” on the submissions page).4. Customer ReviewAnything in the triaged state (aka the to review tab) is something that now needs to be reviewed and accepted by your team. The recommended and expected timeline for accepting submissions is one week; if you expect it to take longer than this for a submission to be accepted, please leave a status update in the form of a comment to the researcher - so they have context for how long they can expect to wait, etc. In reviewing the submissions, please ensure that the assigned priority is aligned with your valuation - additional information regarding changing priorities, see submission priorities.5. Customer AcceptsOnce you agree that you intend to fix and reward the submission, you can accept the finding by updating the state to unresolved - which, as one would assume, then moves the report to the unresolved state, which is shown as to fix tab on the submissions page). For additional information regarding changing submission states, see submission status.If you have any questions regarding a submission that’s in the to review bucket, feel free to leave an mention via a team note for our an ASE via @bugcrowd - or directly reach out to the researcher via the reply option.6. Customer RewardsUpon moving something to unresolved (if this is a paid program), a reward modal will show and ask that you provide a reward. Please reward the submission at a dollar amount that’s consistent with what’s listed on the program brief (there will be some assistance in this regard from the pop-up, which will suggest an amount that aligns with the set priority of the finding. If the suggested amount does not align with your expectations, please let your AM know, and we can adjust accordingly)).As soon as a submission is set to unresolved the researcher gets an email that notifies them of the bug’s acceptance and their pending reward (where applicable).7. Customer FixesOnce the bug has been fixed, be sure to move it to resolved so that we can catch any potential regressions that may occur after the fix has been implemented. This usually happens days to weeks after the submission has been accepted, etc.Common reward ranges and growth pathsMany first time program owners tend to adopt the perspective of “wow, $2,000 for a P1 is a lot of money - can we pay less?” – To which, we advise engaging in this short exercise: Imagine you get breached tomorrow by a P1 level vulnerability (SQLi, RCE, etc), leaking a substantial amount of client and/or internal information on the web. Considering you’ve been breached and it’s all over the news, does $2,000 still seem like too much to pay to know about the critical issue before it happens? If knowing about the issue in advance isn’t worth at least $2,000, then by all means, pay less - but know that in most cases, individuals would gladly pay 20 times that amount for the luxury of knowing about the issue before it got exploited. Keeping this in mind, it’s probably even a good idea to pay more than $2,000 for a P1. Know that you only ever have to pay the max reward for an actual P1 finding. There are no false positives in bug bounties - you only pay when you’ve validated and accepted the issue. If there are no P1 issues, you never have to pay that amount. This in mind, hopefully this guidance and exercise helps reduce any trepidation there might be around setting higher and more advanced reward ranges.While non-exhaustive, the following list details our recommended starting reward ranges and corresponding example target types $150-2,500 - Best for: untested web apps that are new to crowdsourced testing with basic credentialed access and no researcher restrictions (e.g. geo-location, etc) – for any target with restrictions in place, rewards should default to one range higher $200-4,500 - Best for: moderately tested web apps with a history of crowdsourced testing, untested APIs, untested mobile apps $250-6,500 - Best for: well tested web apps that have been part of longstanding crowdsourced programs, moderately tested APIs or mobile apps, presumed-to-be-vulnerable thick clients/binaries and/or embedded devices $300-10,000+ - Best for: hardened web apps (e.g. banking, etc), well tested APIs or mobile apps, moderately secure thick clients/binaries and/or embedded devices $500-20,000+ - Best for: extremely well hardened and sensitive web apps, APIs, and mobile apps - as well as moderate-to-highly secured thick clients/binaries and/or hardened embedded devices.The typical growth path largely mirrors a progression of the above ranges. However, as noted in the FAQ in what to expect over time, there’s also a mention of three distinct levers that can be used to help grow a program over time. The following is an example of an untested web app’s program growth plan over the course of a year: Day 1: Scoping/kickoff call with Bugcrowd Day 14-21: Program goes live with X # of researchers with a $100-2000 reward range Day 30: Post-launch sync to assess what steps to take going forward Day 45-60: Depending on submission volume, add an additional X researchers to the program Day 75-90: Increase rewards to $150-3500 (this typically happens once the program crosses either the 50 or 100 person threshold; depending on the starting point); if additional scope is available, add it - as further scope becomes available, it should be added Day 120: Setup a cadence of 25 additional researchers every other week Day 150: Start planning for going public after hitting ~200 researchers on the program; increase rewards on the added attack surface Day 180: Increase scope to additional (or for small organizations, all) assets owned by the organization Day 210: Go public Day 260: Increase rewards, share updates/code changes as they happen, and iterate as needed. Using Bugcrowd’s VRT (Vulnerability Rating Taxonomy)Bugcrowd’s VRT is something we’ve collectively built and refined over the course of hundreds of bounty programs. It is a classification system for ranking known vulnerability types as P1 (critical), P2 (high), P3 (medium), P4 (low), or P5 (informational). These priority levels correspond to set reward ranges on the program brief, which determines the range in which a given finding gets rewarded. You can review the VRT here: https://bugcrowd.com/vulnerability-rating-taxonomy. The VRT is open source - and thus open to community suggestions/contributions - which happen regularly. Based on conversations with the community, we then update and adjust the VRT as needed (with major changes pushed once a quarter). You can review the VRT on GitHub here: https://github.com/bugcrowd/vulnerability-rating-taxonomy.The VRT is an industry standard that we encourage all program owners to abide by. Leveraging the VRT enables Program Owners to implicitly signify discrete reward ranges for known vulnerabilities, thus removing any ambiguity for participating Researchers. This saves you from having to enumerate every possible vulnerability (and the associated reward amounts), as well as preventing confusion from researchers around how things should be rated, or even what should be submitted!Deviations from the VRT are perfectly acceptable, though we encourage a auxiliary enumeration of your deviations, as opposed to trying to build a new taxonomy on your program brief (which can get long, messy, and complicated). If you wish to exclude one particular finding type, note on the brief that “this program follows the Bugcrowd VRT, except for X thing, which will not be rewarded.”The need to import known issuesIt’s often the case that many program owners have done some degree of security testing prior to running a bug bounty program (e.g. via pentests, internal testing, automated scanning, etc). Provided all the findings haven’t been remediated by the time the program starts, you likely don’t want to have to pay out for issues that you already know about - which is the function of importing known issues. By uploading your known issues to the platform prior to the program start, it allows our ASE team to de-dupe against those findings, and also provides researchers with a level of trust and visibility that issues marked as duplicate truly existed prior their report, as opposed to relying on the less effective strategy of asking the researcher to “trust us”.When importing known issues, there are a few options: List out the known issues on the program brief. This is an extremely helpful and well-regarded show of good faith for researchers. Rather than ending up in a situation where they may hunt for a while only to find a duplicate finding (which, as one could imagine, can be disheartening), by explicitly listing out the known issues on the program brief, it allows researchers to focus their efforts on finding and reporting things that you don’t already know about. Import the known issues into the platform via CSV or API. For details, see importing known issues. Of particular note, when importing known issues, it’s incredibly important that you include enough information for our ASEs to be able to fully replicate the findings, and be able to de-duplicate based on the provided information. For instance, if importing an XSS finding, instead of saying “XSS on example.com/example/”, the description should state the vulnerable parameter, the injection used, any steps to reach the vulnerable functionality, and so on. Choose not to import any known issues. However, in doing this, please be aware that the expectation from both the researcher side as well as Bugcrowd’s, will be that all valid, in-scope findings will be rewarded, even if they’re already known on your end. Risks with changing the program brief after program launchWe recommend exercising a high degree of caution whenever editing a program brief after the program has gone live.In any case where you’re materially changing the program brief (e.g. modifying scope, changing rewards, etc), it’s strongly advised that you first share these changes with your primary point of contact at Bugcrowd (usually your AM) to Get their feedback and input in regards to the fairness and relevance of the changes Allow your Bugcrowd rep the opportunity to simultaneously send out an update to all the participating researchers - ensuring they’re made aware of the impending changes.Failing to do this often results in severely misaligned expectations between customer and researcher, and risks degrading the relationship thereof.It is ultimately your responsibility to ensure that the program brief accurately represents your expectations before it goes live. Common post-launch changes include removing rewards or moving particularly vulnerable targets to out-of-scope, downgrading certain vulnerability types, and so on. To be clear, it’s perfectly acceptable to make these changes, but please always do so in conjunction with Bugcrowd, so we can make sure the communication goes out to researchers, as well as our ASE team (so they’re aware of the new changes as well).Ideally, for any material brief change, we recommend: Send an email to your AM with your suggested scope change/update. Your AM/SA will review the proposed changes, make any salient recommendations. Once the changes are agreed to by both sides, you (or your AM) will update the brief and where necessary, also send out program update.Provisioning credentials Testing on apps without any authenticated access (e.g. marketing sites/etc) will often result in a low number of submissions and activity, since there’s little to no dynamic functionality for researchers to test against. When selecting targets, authenticated targets will almost always be more attractive and meaningful assets to have to tested as part of a bounty program. If there is an authenticated side of the in-scope application, we should make every effort to provide credentials to researchers. Similar to the above, testing something without credentials, while it may seem “black-box”, is an ineffective way of truly understanding the relative security of an app, as well as identifying vulnerabilities (which is our goal - remember, we want to find issues). If we are able to have credentials, we typically ask for two accounts per researcher, so as to allow for researchers to be able to perform horizontal testing. Without two sets of credentials, we potentially leave an entire class of issues off the table (IDORs, most notably). Having two sets will often lead to findings, and is highly recommended, even at the cost of fewer total testers. One notable exception here, is if we’re able to provision each researcher with a single high-priv user with which they can then self-provision additional users as needed. In which case, one set is ok. In line with the above, a general guiding rule around credentialed access for researchers is that the more attack surface we can put in front of researchers, the more likely we are to find issues. With this in mind, we always want to provide researchers with as high of a level of access as we’re able to. Instead of giving all researchers low-priv users, we should give them both low priv and high priv users - allowing them to attempt privilege escalation attacks, and enabling them to test the most functionality possible. Sharing credentials is never a recommended or ideal practice, and should be avoided whenever possible. Shared credentials will almost always end badly. All it takes is one researcher accidentally changing the password, and then everyone is locked out - losing their momentum and interest, and are unlikely to return to full steam even when the issue is resolved. If this is a multi-tenanted application, we ideally want to give researchers access to two tenants (or organizations), so they can do cross-tenant testing - and in an ideal world, each researcher would have their own tenant. The goal of this is that not only do we want researchers to be able to be able to perform horizontal testing inside their own org, but we also want to ensure that they’re also able to do cross-org testing. Understand how many total sets of credentials will be able to be created and handed out to researchers over the course of the program (is it limited to 25? 50? 500?). This number will inform the maximum number of researchers and often the starting crowd size as well. As noted above, we ideally want to provide two sets per researcher, so this should be considered when thinking about how much runway we have in terms of credentials. If live/actual personal information is required of researchers for them to setup accounts (credit card numbers, social security numbers, etc), this can often be a deal breaker for many researchers, and should be avoided if possible. This is often a very good reason to use staging, since accounts can often be pre-populated independent of actual user info. Finding a way around any barriers to entry is important in being able to get researchers involved and activated. Managing one’s testing environmentWhere possible, we suggest utilizing pre-production/staging environments, as opposed to production. However, in situations where production makes the most sense, we’re always in favor of whatever provides researchers with the best chance of success - whether that’s production, staging, or however else the target is accessed.This in mind, there are a number of benefits to not testing against production, some of which being: There’s usually no customer PII present on non-prod environments (in the case that someone finds a vulnerability that exposes other user’s data). There’s no chance of affecting actual users if the staging environment is made unstable from researcher testing. If there’s anything to be purchased on the application, it’s usually a lot easier to provision fake credit cards/SSNs/etc on non-prod environments. Testing against a staging/non-prod app can allow us to test against a newer version of the app before it hits production - thereby identifying issues before they’re exposed to the public. It’s typically easier to mass create credentials for researchers to test with. It’s similarly much easier to restrict access to only testing researchers (only allowing access from a specific IP address, etc) - thereby providing better visibility into researcher testing/coverage.What to do if your hosted by a third-party (ie AWS/Azure/Google Cloud)It is your responsibility to file any relevant or required pentesting requests through whichever vendor you utilize. Here are some common vendors and their policies (please always double check with your given vendor, as policies can and do often change!)Google Cloud: As of December, 2018, Google does NOT require any formal pentesting request to be filed, noted here: https://support.google.com/cloud/answer/6262505?hl=enAzure:: Please review the guidelines here:https://docs.microsoft.com/en-us/azure/security/fundamentals/pen-testing (NOTE: as of December 2018, Microsoft does NOT require any formal pentesting request to be filed; however, please be sure to follow the pentest rules of engagement here: https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement?rtc=1AWS: For AWS, you can review the guidelines here: https://aws.amazon.com/security/penetration-testing/ – As a rough guide, here is what we typically recommend clients put on their pentesting request form:IP Address: This will be part of an ongoing bug bounty program against this asset - as such, researchers will be coming from a variety of IPs that we can’t predict or control at this point.Who owns the IP addresses?This will vary by the individual researcher/tester engaging on the bug bounty program.Does the testing company have a NDA with AWS?No. Testing will be performed by independent and unaffiliated researchers.Expected peak bandwidth (Gbps):Our generalized guidance around bandwidth expectations is: ~50KB per page load × # of researchers × 6 requests per second per researcher × 8 (KB-&gt;KBps conversion) = expected load. For instance, with 25 researchers testing at 6 RPS, the total data consumed is 7500KB/s – and then multiplied by 8, we get 60,000 kbps (or 60mbps) as what we’d expect to be peak activity from this engagement.Expected peak requests per second (RPS):Generally speaking, at peak, we’d expect 6 RPS from each participating researcher – so, # of researchers × 6 = peak RPS.Expected peak Queries per second (QPS) for DNS Zone Walking:For most programs, this number is pretty close to none, unless the scope is something like an entire ASN, or *.domain.com.Additional testing details and why this testing is needed:Running a crowdsourced security engagement (e.g. bug bounty, etc) is an integral part ensuring our product/platform/assets are secure and thoroughly tested.What criteria/metrics will you monitor to ensure the success of this test?The answer here is contingent on your personal goals, but generally this looks something like “Identifying previously unknown issues, as well as seeing depth of testing from utilizing a wide contingent of researchers.”Do you have a way to immediately stop the traffic if we/your discover any issue?Yes. If you notice any issues and need to stop ASAP, please reach immediately to your entire support team (SA/AM), as well as support@bugcrowd.com.Support Resources For any other questions or issues, visit the Bugcrowd Customer Support Center (https://docs.bugcrowd.com) or send an email to support@bugcrowd.com." } , { "title" : "Embedded Submission Form", "category" : "customer", "tags" : "integration-management", "url" : "/customers/integration-management/embedded-submission-form/", "date" : "", "content" : "With Embedded Submission Forms, researchers do not need to sign into or sign up for Bugcrowd. Instead, they can provide their email address and receive a claim ticket, which they can later use to log into or create an account for Bugcrowd to receive credit for their submission. Embedding a submission form on your website will allow anyone to responsibly disclose a vulnerability found in your application.Preset Fields: The Embedded Submission Form is an embeddable HTML script with preset form fields. Fields may not be adjusted to fit a custom form fill other than the option to include or exclude the Target field.Key Benefits for Embedded Submission FormsHere are some key benefits to using embedded submission forms: You can accept vulnerability reports from any researcher, whether they have a Bugcrowd account or not. You can promote security best practices by enabling your partners, employees, and customers to report bugs and vulnerabilities. You can manage and track submissions through Crowdcontrol for private and public programs. No additional configuration is needed. The submission form pulls all the fields from your program’s settings.Embedded Submission Form FieldsThe Embedded Submission Form has preset fields is nearly identical to the vulnerability submission form for programs hosted on Bugcrowd’s website, with exception to a few subtle nuances such as the Target field. The Target field is optional. For more information, see step 3 - enabling target selection.The Embedded Submission Form includes the following fields: Field Subfield Details Info   A brief note or header that best identifies what the vulnerability is about. Target (Optional)   Drop-down field the researcher can use to identify the target affected. Selections only include in-scope targets. Technical Severity   Based on Bugcrowd’s Vulnerability Rating Taxonomy (VRT), researchers use this drop-down field to identify the type of vulnerability found which is then given a baseline technical severity rating. Vulnerability Details   Includes sub-fields for descriptive and clear details about the vulnerability found.   URL / Location of vulnerability Enter the URL or location of the vulnerability found.   Description Comprehensive information about the vulnerability such as “what is the vulnerability?”, “what is the security impact?”, “replication steps”, “proof of concept”, etc.   Trace dump/HTTP request Trace dump or HTTP request is entered in here.   Additional information Researchers enter any additional information or data relevant to the vulnerability submitted. Attachment   Images or videos can be uploaded to help clarify and demonstrate replication steps. Researcher Email   An optional field for researcher to fill out. Entering their email will trigger an automated email that will allow the researcher to claim the submission. Supported BrowsersEmbedded submission forms currently work with the following browsers: Safari Firefox Edge Chrome Internet Explorer 11Setting Up the Embedded Submission Form IntegrationTo set up the Embedded Submission Form integration, you’ll need to be an organization owner or program admin, and complete the following: Embed the Embedded Submission Form code provided by Bugcrowd into a page on your website. Allow list your site domain so that the form can appear on your website. Enable the targets option if you want to display a list of in-scope targets on the form. Enable the Embedded Submission Form integration. Receive Vulnerabilities.Step 1: Embedding the Embedded Submission Form Go to the Settings page of your program. Go the Integrations tab and click the Add Integration button for Embedded Submission Form. Copy the embed code. Add it to the body of your web page. Load the web page to view the form; you’ll see a notification that the integration has not been enabled. Step 2: Allow Listing DomainsIt is necessary for you to allow list your site domain to prevent others from hosting your submission form elsewhere. This can be done directly from the configuration page. From the Allowed domains section of the configuration page, click Add new entry. Enter the domain you want to allow and click outside the text box. The Integration updated message is displayed and the specified domain is saved. You can enter a fully qualified domain name or use an asterisk (*) as a wildcard. Non-HTTPS site: If you hosting the embedded form on a non-https page, you have to include the scheme (http://) on the allow list. To remove a domain, click Remove. Step 3: Enabling Target SelectionTarget selection allows researchers to select from a list of targets that are within a program’s scope. By default, target selection is turned off. If you are running a public program, you may want to turn this option on to make this information available to researchers.To enable target selection on the submission form, select the Allow targets to be selected in embedded submission form option.Step 4: Enabling the IntegrationThe Embedded Submission Form must be set live before you can start receiving submissions. To turn it on, send an email to support@bugcrowd.com.Step 5: Receive SubmissionsNow that you’ve embedded the form and enabled the integration, others will be able to go to the webpage to submit vulnerabilities via the embedded form. As vulnerabilities are submitted, they will appear in Crowdcontrol for you to review." } , { "title" : "GitHub", "category" : "customer", "tags" : "integration-management", "url" : "/customers/integration-management/github/", "date" : "", "content" : "Self or Cloud Hosted Supported: You must be in an authenticated GitHub session to enable pushing your submissions.Set up a GitHub integration by following the steps below. Go to your program’s Settings. First, navigate to your Program Settings and select the Integrations tab. Program Specific Integration: The GitHub integration is set up in the program’s settings and is specified to send notifications for activities in that chosen program. There are no limitations to the number of repositories that can be set up with the GitHub integration. Select the Add Integration button for GitHub. Click Add GitHub Integration. After selecting the Add GitHub Integration button, you will be brought to a form so we can setup the needed details to enable pushing issues to GitHub. GitHub Enterprise Support: Adjust the domain field to match your GitHub Enterprise instance’s URL Once you have the integration setup and enabled, you can go to any submission and “Push to GitHub”. Clicking the link opens a modal providing a link to open the corresponding issue in GitHub. Click that. Open issue in GitHub. The Submission contents are filled within the Issue form, enabling you to further edit it before submitting. Once the issue is saved, grab the ID from the Issue page (or the link) and go back to Crowdcontrol to save it. Fill in the ID number within the modal form, saving it within Crowdcontrol. This makes it easy to access the GitHub issue within Crowdcontrol for further updates. " } , { "title" : "Jira", "category" : "customer", "tags" : "integration-management", "url" : "/customers/integration-management/jira/", "date" : "", "content" : "Bugcrowd’s bi-directional Jira integration provides the following functionalities: When the submission status changes from Triaged to Unresolved state, the Jira ticket is automatically generated and all the vulnerability details are synchronized from Crowdcontrol to Jira. When a vulnerability is fixed and developer moves the Jira ticket to a Closed state, the associated submission is automatically closed (moved to a Resolved state) in Crowdcontrol. All activities (comments, priority changes, and other activities) on a single submission in Crowdcontrol are automatically updated in the associated Jira ticket. All Jira ticket fields can be mapped to Crowdcontrol submission fields using the custom field mapping settings.When you set up the integration between Crowdcontrol and Jira, you can choose the bounty programs that you want to integrate with Jira.The sections covered are: Navigating to Jira integration Authorizing Crowdcontrol to access Jira Configuring Jira project Setting Jira issue type Automatically pushing submission comments into Jira Enabling integration Manually pushing Crowdcontrol submissions to Jira Configuring bi-directional Jira integration Mapping fields between Crowdcontrol and Jira Adding multiple Jira integration instances Viewing existing Jira integrations Mapping Jira Integrations with Targets Editing Jira integration name Deleting Jira integration Integrating Crowdcontrol with Jira On-Prem Frequently asked questionsTo set up Jira integration with Crowdcontrol, you must be an owner and have administrator access to Jira." } , { "title" : "Jira > Adding Multiple Jira Integration Instances", "category" : "customer", "tags" : "", "url" : "/customers/integration-management/jira/adding-multiple-jira-integration-instances/", "date" : "", "content" : "You can setup multiple Jira integrations for a single program. Each integration is unique and can be customized based on the requirements.To add an additional Jira integration: On the Integrations page, in Atlassian Jira, click Configure. The Jira Integrations page displays the existing Jira integrations. Click Add Jira integration. The Jira integration created message and the Authorization page is displayed. To proceed, see authorizing Crowdcontrol to access Jira. " } , { "title" : "Jira > Authorizing Crowdcontrol to Access Jira", "category" : "customer", "tags" : "", "url" : "/customers/integration-management/jira/authorizing-crowdcontrol-to-access-jira/", "date" : "", "content" : "To authorize Crowdcontrol to access your Jira account, specify the following information on the Authorization page: Display name: Name for the integration. Site: URL for your Jira domain.You can authorize Crowdcontrol to access Jira using Jira Cloud OAuth, Jira Server OAuth, or Username and password.Authorizing Jira Cloud If your Jira instance is hosted at *.atlassian.net, then select the Jira Cloud OAuth option. Click Authorize. In Authorize for, select the Jira instance hosted at *.atlassian.net and click Accept. The Integration authorized message is displayed. Also, the Jira integration details section displays the Cloud ID and Instance name automatically, and Authorization in the left pane shows a tick mark indicating that authorization is complete for Jira Cloud. After authorizing Jira Cloud, configure the Jira project. For information, see configuring Jira project. Authorizing Jira Server If your Jira instance is self-hosted, select the Jira Server OAuth option. If a firewall is enabled on your network, then make sure that you have allow listed the static IP addresses listed in integrating Crowdcontrol with Jira on-premise. Log in to Jira and go to Settings &gt; Products. In Integrations, click Application Links. The Configure Application Links page is displayed on the right. Specify https://tracker.bugcrowd.com as the URL for creating a new link. The No Response was received.. error message is displayed. Provide the same URL and click Continue. The Link applications page is displayed. Specify the following details: Application Name: Descriptive name for the integration. Application Type: Select Generic Application. Service Provider Name: Provide name as Bugcrowd. Consumer Key: Use the same Consumer key you provided in Crowdcontrol integration. The following values are only used for an Outgoing Authentication flow, which is currently not leveraged. Hence, use the provided arbitrary values: Shared Secret: Bugcrowd. Refresh Token URL: https://tracker.bugcrowd.com. Access Token URL: https://tracker.bugcrowd.com. Authorize URL: https://tracker.bugcrowd.com. Select the Create Incoming link option. Click Continue. Specify the following details: Consumer Key: Use the same Consumer key you entered within the Crowdcontrol Jira Integration. Consumer Name: Use a name for the integration, we recommend Crowdcontrol. Public Key: Enter in the public key from the Crowdcontrol Jira integration. Click Continue. The Application Link is persisted within Jira. Go back to Crowdcontrol Jira integration page and click Authorize. The Integration updated message is displayed. After authorizing Jira Server, configure the Jira project. For information, see configuring Jira project. Authorizing Jira Using Username and Password On the Jira Integration page, select the Username/Password option. Specify the following: Username: Your Jira user name. Password: API token generated in Jira. For information about generating API tokens, see Jira documentation. Click Test authorization. The Jira authentication successful message is displayed. After authorizing Jira, configure the Jira project. For information, see configuring Jira project. " } , { "title" : "Jira > Automatically Pushing Submission Comments into Jira", "category" : "customer", "tags" : "", "url" : "/customers/integration-management/jira/automatically-pushing-submission-comments-into-jira/", "date" : "", "content" : "When a comment is added for a submission in Crowdcontrol, you can update these comments in the Jira ticket automatically. To enable this, move the slider to the right for the Include Public and Private Comments option.The Integration updated message is displayed." } , { "title" : "Jira > Configuring Bi-directional Jira Integration", "category" : "customer", "tags" : "", "url" : "/customers/integration-management/jira/configuring-bi-directional-jira-integration/", "date" : "", "content" : "Bi-directional Jira integration between Jira and Crowdcontrol enables you to automatically track vulnerabilities from validation to remediation. It allows the following: When a submission is marked as Resolved in Crowdcontrol, automatically updates the corresponding issue in Jira to a pre-defined state. When an issue is closed in Jira, automatically closes the corresponding issue in Crowdcontrol.To set up bi-directional Jira integration: On the Jira integrations page, click Resolving issues on the left side. The Resolving Issues in Jira and Crowdcontrol settings are displayed. To set the closed status for Jira tickets, in Jira closed status, select a status. This indicates the status within the Jira workflow that maps to the Resolved state in Crowdcontrol. In the following example, Done is selected as the closed status for Jira tickets. To activate communication from Crowdcontrol to Jira, select when I close an issue in Crowdcontrol, automatically close the corresponding issue in Jira option. When a submission is moved to Resolved state in Crowdcontrol, it automatically closes the corresponding ticket in Jira. Register a Crowdcontrol webhook with Jira. To perform this, move the slider to the right for the Two-way Jira integration option. Crowdcontrol generates and displays a webhook URL. If you are a admin Jira user, then the webhook is automatically updated in your Jira settings. If you are a non-admin Jira user and you do not have permission to add webhooks, then Crowdcontrol detects this and displays the instructions for adding webhooks (customized for your project configuration). After the webhook URL is registered with Jira, the Webhook was successfully registered with Jira message is displayed. Workflow Tip By default the Jira webhook is created with JQL scoping issue monitoring to the project selected in the basic configuration section. If you move Jira tickets between projects regularly, any ticket updated in a project outside of the project scope is ignored. The following screenshot shows an example Jira webhook configuration with the default JQL set to Project = 10400 (corresponding to the ID of the project selected in the basic configuration). If you want to monitor Jira issues across multiple projects, you can manually adjust the JQL in the webhook to encompass different selection criteria. One example is to use the label that is automatically set for the Jira tickets when created through Bugcrowd. For more information about configuring labels, see Advanced Field Mapping section. In this example, assume all tickets are created with the label bugcrowd-bugcrowdongoing. You can create a custom JQL query such that instead of looking for issues to the project it will look for any issues with that label. The following screenshot shows an updated Jira webhook with scope changed to the label bugcrowd-bugcrowdongoing. To activate communication from Jira to Crowdcontrol, select the When I close an issue in Jira, automatically close the corresponding issue in Crowdcontrol option. Closed issues in Jira associated with submissions in Crowdcontrol will automatically move the submission to Resolved. " } , { "title" : "Jira > Configuring Jira Project", "category" : "customer", "tags" : "", "url" : "/customers/integration-management/jira/configuring-jira-project/", "date" : "", "content" : "After Crowdcontrol and Jira are connected, you must configure the Jira project, where the issues will be created.To configure the project: On the left side, click Project configuration. Crowdcontrol supports multiple Jira project instances. For more information, see adding multiple Jira integration instances. In Jira project, select the Jira project you want to use for the integration. The Integration updated message is displayed. Also, Project configuration in the left side displays a tick mark indicating that the Jira project is configured. To proceed, see setting Jira issue type. " } , { "title" : "Jira > Deleting Jira Integration", "category" : "customer", "tags" : "", "url" : "/customers/integration-management/jira/deleting-jira-integration/", "date" : "", "content" : "To delete a Jira integration: On the Jira Integrations page, click the Delete icon for the integration that you want to delete. A message asking for confirmation is displayed. Click OK. The Integration removed successfully message is displayed. The integration is deleted in the application, but is archived in the database. If you want to manually retrieve it from the database, send an email to support@bugcrowd.com. " } , { "title" : "Jira > Editing Jira Integration Name", "category" : "customer", "tags" : "", "url" : "/customers/integration-management/jira/editing-a-jira-integration-name/", "date" : "", "content" : "To edit the Jira integration name: On the Jira Integrations page, click the integration that you want to edit. The Authorization page is displayed. In Display Name, change the name. Click Save. The updated name is displayed on the left side. " } , { "title" : "Jira > Enabling Integration", "category" : "customer", "tags" : "", "url" : "/customers/integration-management/jira/enabling-integration/", "date" : "", "content" : "After configuring the Jira project and issue type, you must enable integration so that you can push the submission from Crowdcontrol to Jira. By default, this option is disabled. To enable this option, move the slider to the right for the Integration status option.The Integration status option is available only after you have selected the Jira project and issue type.You can now push Bugcrowd submissions to Jira." } , { "title" : "Jira > Frequently Asked Questions", "category" : "customer", "tags" : "", "url" : "/customers/integration-management/jira/frequently-asked-questions/", "date" : "", "content" : " Question Answer Project Name is not appearing on the Configuration page. Confirm that the Username has access to view and edit the project. Bugcrowd issues are not pushed upstream. Check whether Field Mapping is configured correctly. If the problem persists, confirm that the Jira user has permissions to create issues. Pushing to Jira Summary Field Jira has a default character limit of 255. Unable to complete error Confirm that the Custom Field Mapping {key:value} value portion equals the text field. Authentication Error - Unexpected end of JSON input. Make sure that the site URL is https:// or connecting to the root Jira URL Import existing issues from Jira See known issues imports " } , { "title" : "Jira > Integrating Crowdcontrol with Jira On-Prem", "category" : "customer", "tags" : "", "url" : "/customers/integration-management/jira/integrating-crowdcontrol-with-jira-on-premise/", "date" : "", "content" : "You must perform the following: Configure Jira On-Prem on your system Install Ruby Access On-Prem Crowdcontrol Jira integration files Run bundle command Update configuration YAML file Run On-Prem Crowdcontrol Jira integrationClients must allow list the following IPs. The IPs are a cluster of squid proxies that provide high availability for outgoing integration requests.IPs: 52.1.126.10 52.86.183.27 52.86.229.29Port: 443Send an email to support@bugcrowd.com. The port may vary depending on your Jira configuration. The default port used for Jira is 443 SSL / TL.Configuring Jira On-PremiseAfter installing Jira On-Prem on your system, you must configure and start the application. For more information, see Jira documentation.Installing RubyInstall Ruby 2.4 or later on your system.Add an argument command to your profile. In case you are using the common ~/.bash_profile, then add the following:echo 'eval "$(rbenv init -)"' &gt;&gt; ~/.bash_profile'Accessing On-Prem Crowdcontrol Jira Integration FilesTo access the On-Prem Crowdcontrol Jira Integration files, send an email to your account manager. After you get access, clone the files to your system.Running Bundle CommandRun bundle from the cloned repository.All the bundle gems are installed.Updating Configuration YAML FileThe configuration YAML file (config.yml) is required to integrate Crowdcontrol with Jira On-Prem. This file is available in the /config subdirectory.General SettingsSpecify the following general settings: Update frequency: Time to wait (in seconds) between scraping all submissions and child objects before starting again from the top. Download directory: Location of the downloaded files. It can be a relative value or an absolute path.Crowdcontrol valuesSpecify the following values for Crowdcontrol: Base URI: Base URL of Crowdcontrol. Crowdcontrol bounty ID: Crowdcontrol bounty ID is the parent key. If you do not know the bounty ID, leave it blank within single quotes and run the bin/start command. The available bounties in Crowdcontrol will be displayed in the following format: (ProgramName =&gt; ID) Copy the required ID and paste it as the value for Crowdcontrol bounty ID. Jira project ID: Jira project ID that must map to the bounty ID. To get the Jira project ID, in Jira hover your mouse on the project name to view the project ID. Usually, it is 10000 onwards. Priorities: Crowdcontrol IDs that must be mapped to Jira priority IDs. Issue Type: Issue type ID in Jira that must be used for all submissions. HTTP Authentication Header: Used for connecting to the Crowdcontrol API. Obtain this value from Crowdcontrol application. Submissions per page: Number of submissions to request and process at a time before calling the Crowdcontrol API again. If it is a very high value, the local memory usage may increase. If it is a very low value, may bombard Crowdcontrol API with requests. Submission Types: Submission with the specified states that must be pushed to Jira. For example, push submissions with Unresolved status to Jira. Timestamp format: Format of the ‘created_at’ timestamp in Crowdcontrol notes, which is mapped to the Note created at in Jira comment. Timeout: Set a timeout (in seconds) value for all Crowdcontrol API requests. VRT cache duration: Time (in seconds) required to locally cache (in RAM) the vulnerability rating names. This must be a higher value unless rating names update frequently.Jira On-Prem valuesProvide the following connection details for the Jira API client. Username: User name to log into Jira On-Prem. Password: Password associated with the user name. Site: Link where Jira On-Prem is hosted. Context Path: Jira installation location in the server. Usually, the path is not specified and it is blank. Use SSL: Set it to true if you want to use SSL authentication for connecting Jira to Crowdcontrol. Else, set it to false.The Read Timeout, Authentication Type, and HTTP Debug values are hardcoded and must not be changed.Sample config.yml FileThe following code provides a sample configuration file. #General settings for this script general: update_frequency: 10 downloads_directory: 'downloads' #Crowd Control API credentials crowd_control: base_uri: 'https://api.bugcrowd.com/' bounties: 'ce734644-3dc5-45c7-bbe2-9a6500aad1cd': project_id: '10000' priorities: 1: '1' 2: '2' 3: '3' 4: '4' 5: '5' issuetype: '10002' http_auth_header: 'onaxmjzzkr:grKdykxpXUEL0PnarY_lAwmyrljqHFJwyPsl4M49eaQVKYAJ-Us6-Wezf' submissions_per_page: 100 submission_types: - unresolved timestamp_format: '%F %T' timeout: 10 vrt_cache_duration: 86400 # Jira API credentials jira: username: user.one password: userone_10 site: https://localhost:8080/ context_path: '' read_timeout: 10 auth_type: :basic use_ssl: false http_debug: trueRunning On-Prem Crowdcontrol Jira IntegrationRun bin/start from the cloned repository. INFO Sync2Jira::SyncedObject: Connecting to local database INFO Sync2Jira::CrowdControl: Fetching vulnerability ratings INFO Sync2Jira::Synchronizers::Submission [ID 2]: Creating on JiraThe Jira tickets are created for each Crowdcontrol submission for a program. For example, if you have specified the issue type as Task in the config.yml file, then each submission will be created as Task in Jira.For any issues with using On-Prem Crowdcontrol Jira Integration, send an email to support@bugcrowd.com." } , { "title" : "Jira > Mapping Fields Between Crowdcontrol and Jira", "category" : "customer", "tags" : "", "url" : "/customers/integration-management/jira/mapping-fields-between-crowdcontrol-and-jira/", "date" : "", "content" : "You must map the fields between Crowdcontrol and Jira so that when a submission is pushed from Crowdcontrol, the submission information is properly updated in Jira. By default, the Title and Details fields in Crowdcontrol submission are mapped to Summary and Description fields in the Jira ticket, respectively.Jira Markdown support: When Markdown fields from Crowdcontrol are pushed to Jira, they will convert to the respective markdown flavors to render appropriately.You can map the following submission details to Jira: Link to the issue in Crowdcontrol Current submission state (example, Unresolved, Resolved) Priority Reward Amount Reference Number Description HTTP Request Chosen VRT Category Bug URL List of commentsThe following image displays the comments in the Jira ticket.Crowdcontrol provides the following mapping types that allows mapping Crowdcontrol submission fields to your Jira ticket fields: Apply a Bugcrowd submission attribute to a text field in Jira Apply a Bugcrowd submission custom field to a text field in Jira Apply a static string to a text field in Jira Apply one or more text strings to the labels field in Jira Apply one or more text strings to a custom label field in Jira Select a predefined option from a single select list field in Jira Select one or more predefined options from a multiple select list field in Jira Select predefined options for a cascading select list field in JiraA field marked with asterisk indicates it is a mandatory field that is required for creating issue in Jira.To map the Jira ticket fields to Crowdcontrol: On the Jira integrations page, click Field mapping on the left side. In Jira field column, select the Jira field that you want to map. Crowdcontrol uses an API to display all fields from your Jira project. In the Available field column, select the Crowdcontrol field that must be mapped to the Jira field. Crowdcontrol allows administrators to define custom submission fields at the program level. This means that you can add information specific to your organization on a per-submission basis. Custom fields are displayed as [Custom Field] (custom_field_name) in the Available Field drop-down menu. In the Set field column, select any of the following options for configuring how often Crowdcontrol field must synchronize with Jira field: On Every Update: Each time a submission field is updated in Crowdcontrol, the updated information is pushed to Jira. The corresponding Jira field is overwritten and displays the changes. Once: Crowdcontrol submission field’s data is synchronized with the Jira field when a Jira ticket is created and remains fixed regardless of the updates made within that field in Crowdcontrol. If automatic Jira ticket creation is enabled, then a Jira ticket is created after the submission transitions to the Unresolved status. If automatic Jira ticket creation is disabled, then you can push the Crowdcontrol submission upstream to Jira manually. Overwriting Jira Ticket Fields: Any field configured to synchronize On Every Update is overwritten in Jira with the latest data from Crowdcontrol submission. If you update the Jira field, then this updated data is lost during synchronization. Click Add. The Field mapping created message is displayed and the mapped field is added as a row to the table. Remove Field MappingTo remove a field mapping, click Delete for the field that you want to remove.The Field mapping removed message is displayed and the mapped field is removed from the table." } , { "title" : "Jira > Mapping Jira Integrations with Targets", "category" : "customer", "tags" : "", "url" : "/customers/integration-management/jira/mapping-jira-integrations-with-targets/", "date" : "", "content" : "You can map the Jira integration projects with in-scope targets for a bounty program. This helps to synchronize and create Jira issues automatically from submissions that belong to certain targets.Before mapping the Jira integration project with target, make sure you have performed the following: Jira integration project is connected Jira issue creation type is set (Automatic Jira Creation or Manual push) Trigger state (unresolved or triaged) is setTo map Jira integration projects with targets: On the Jira Integrations page, go to the Target Link section. For the In-scope Target, select the Jira project from the drop-down list in Linked Integration. When you select the integration project for each target, the Target mapping created message is displayed. The in-scope targets are linked with Jira integration projects. When submissions move from Triaged to Unresolved, they will be automatically pushed to the corresponding Jira integration project. You must map all in-scope targets to Jira integration projects. Otherwise, the Incomplete target mapping error message is displayed as shown. The linked integrations are displayed in Program scope. If you click on the link, the Jira integration project is displayed. " } , { "title" : "Jira > Navigating to Jira Integration", "category" : "customer", "tags" : "", "url" : "/customers/integration-management/jira/navigating-to-jira-integration/", "date" : "", "content" : "To navigate to the Jira integrations page: Go to Settings and click the Integrations tab. In Atlassian Jira, click Add integration. The Jira integrations page is displayed. Click Add Jira integration. The Authorization page is displayed. To proceed, see authorizing Crowdcontrol to access Jira. Multiple Jira Project Capabilities: Crowdcontrol supports multiple Jira project instances. For more information, see adding multiple Jira integration instances. " } , { "title" : "Jira > Pushing Crowdcontrol Submissions to Jira", "category" : "customer", "tags" : "", "url" : "/customers/integration-management/jira/pushing-crowdcontrol-submissions-to-jira/", "date" : "", "content" : "Manually Pushing Crowdcontrol Submission Upstream to JiraWhen you enable the Integration status option, the Push to Jira link is available for each submission. To manually push the submission to Jira, click Push to Jira. A new ticket is created in Jira based on the configured issue type.If the submission was already pushed to Jira, then any data updated in the Crowdcontrol submission is automatically updated in the Jira ticket based on the field mapping. For more information, see mapping fields between Crowdcontrol and Jira.Automatically Pushing Crowdcontrol Submission to JiraYou can automatically push the submission from Crowdcontrol to Jira when the submission’s state changes to Unresolved or Triaged in Crowdcontrol. To enable this, on the Issue Creation page, perform the following: Move the slider to the right for the Enable Automatic Jira Issue Creation option. In Submission State, select Unresolved or Triaged. The Integration updated message is displayed and the setting is saved." } , { "title" : "Jira > Setting Jira Issue Type", "category" : "customer", "tags" : "", "url" : "/customers/integration-management/jira/setting-jira-issue-type/", "date" : "", "content" : "You must configure the Jira issue type that must be used for creating tickets when submissions are pushed from Crowdcontrol to Jira.To set the issue type in Jira: On the Jira integration page, click Issue creation on the left side. In Issue Type, select the issue type that must used to create issues in Jira for the submissions pushed from Crowdcontrol. The Integration updated message is displayed. When the Jira ticket is created for a submission, they will be labeled based on the selected issue type. " } , { "title" : "Jira > Viewing Existing Jira Integrations", "category" : "customer", "tags" : "", "url" : "/customers/integration-management/jira/viewing-configured-jira-integrations/", "date" : "", "content" : "After the Jira integration is setup and enabled successfully, the newly added Jira project is displayed on the Jira Integrations page with the following information: Name: Jira project name. Project ID: Jira project ID that is synchronized with the Jira Integration instance. Status: Integration status for the Jira project. When integration is enabled, the status is Connected. If integration is disabled or if there is an issue with authenticating the integration, then the status is Not Connected. Actions: Clicking Send unresolved issues to Jira creates a Jira ticket for each submission (within the program) in the Unresolved status that was not pushed upstream to Jira." } , { "title" : "Qualys", "category" : "customer", "tags" : "integration-management", "url" : "/customers/integration-management/qualys/", "date" : "", "content" : "Follow the steps below to integrate Qualys with Crowdcontrol.Qualys WAS Data Import: Crowdcontrol will check for new Qualys WAS scan data to import every hour and import new scan data.1. Go to your program Settings and then go to the Integrations tab2. Click the Add Integrations button for Qualys3. Enter a Name for the IntegrationOn the Qualys integration settings, enter in the integration name. This name will display in Qualys.4. Select the API LocationThen select the correct API Location to configure your Qualys WAS. When selecting the correct API location, first identify your Qualys WAS login URL. For example, https://qualysguard.qg2.apps.qualys.com. Once identified, your API location will be the same as your Qualys account login except you instead of qualysguard the API location will be qualysapi. So for the login URL example above, the corresponding API location would be https://qualysapi.qg2.apps.qualys.com.5. Enter Username and PasswordEnter your Qualys WAS username and password. Select the blue Test Authorization button to confirm Qualys has been properly integrated to Crowdcontrol. Once confirmed, select the Save and Connect button.6. Select the Web Application Configuration TabNext, select the Web Application Configuration tab on the left-hand side.7. Configure Web Application ScansConfigure the web application scans you would like to import into Crowdcontrol by toggling each web scan to the right. A green toggle notifies the web application scan has been successfully configured. Import one or multiple scans by toggling each one.8. Enable IntegrationOnce your Quays web application scans have been configured, ensure the Qualys integration is enabled by moving the Integration Status toggle to the right as seen below.Qualys WAS Vulnerabilities in CrowdcontrolIdentify Qualys SubmissionImported Qualys submissions will automatically be imported at an “Unresolved” status. These submissions can be identified by the Qualys logo shield as seen in the image below.Qualys Submissions Auto-ResolvedWhen Qualys submission is identified and fixed in a scan, Crowdcontrol will automatically move the submission from an ‘Unresolved’ state to the ‘Resolved’ state as seen below.Submission InboxYou can identify Qualys submissions in the submission inbox by the Qualys logo shield located below the submission’s priority. To filter your inbox to show only Qualys submissions, use the Source filter shown in the image below.Submission Inbox Filters: The submission inbox provides customizable filtering. For more information, see submission filtering." } , { "title" : "Email Intake", "category" : "customer", "tags" : "integration-management", "url" : "/customers/integration-management/receiving-submissions-through-email/", "date" : "", "content" : "Important Notice-Email Intake Availability: Email Intake is only available for customers with a Vulnerability Disclosure Program (VDP). If you are considering using Email Intake, please contact your Account Manager or send an email to sales@bugcrowd.com.Setting Up Email SubmissionsTo set up email submissions, all you have to do is contact your Account Manager. We’ll handle almost everything for you, including setting up a dedicated email for you to receive submissions and enabling forwarding support if you need it.You will be able to find your dedicated email address by following the steps below: Navigate to the Program Settings page. Select the Integrations tab. Click the Add Integration button for Email Intake. Find a dedicated email intake address at the top (highlighted in the image below). Once you’re all set up, all you have to do is share the email address through your regular disclosure channels, such as your security webpage or disclosure program. When someone reports a bug to the email address, a submission will be automatically created in Crowdcontrol for you to review.Action Required-Email Intake Set-Up: To set up Email Intake, contact your Account Manager or send an email to sales@bugcrowd.com.You will know Email Intake is enabled when you see the following message on the Email Intake Integration Settings page:Please contact support@bugcrowd.com to disable this integration(See Image Below)Email ForwardingTo help you track and reward submissions sent to an email other than the one provisioned by Bugcrowd, you can enable forwarding support. Forwarding support enables you to send a claim ticket to the original sender of the email.For example, if your support organization receives an email that details a vulnerability, they can forward it to the provisioned email (for example, 12345@submit.bugcrowd.com). The email is processed and a claim ticket is sent to the original sender, not the support organization.Action Required-Enabling Email Forwarding: If you’d like to enable forwarding support, contact to your Account Manager.Understanding How Email Submissions WorkEmail submissions are enabled on a per program basis. Your account manager will set up your program with an email address, which will be something like uuid@submit.bugcrowd.com.When you receive an email at the provisioned address, a submission will automatically be created in Crowdcontrol and will use the following information: The email subject as the submission’s title. The email contents of the email will appear in the submission’s description.All you have to do is log in to Crowdcontrol to view and manage the submission as you usually would.Claiming SubmissionsWhen a submission is received via email, a claim ticket is sent back to the sender. Claim tickets allow researchers to associate a submission with their Bugcrowd account so that they can receive points and discuss their findings with you. Once a researcher claims a submission, Crowdcontrol will update the submission with the researcher’s username. All unclaimed tickets will have “Known-issues” as the username.Important Notice-Communicating with Researchers: You will only be able to communicate with the researcher through Crowdcontrol if they claim the submission.Customizing Your Claim TicketsBugcrowd provides a claim ticket template that you can customize with a logo and text.Action Required-Customize Your Claim Ticket: Contact your Account Manager if you want to add a logo or any text to your claim tickets." } , { "title" : "IBM Resilient", "category" : "customer", "tags" : "integration-management", "url" : "/customers/integration-management/resilient/", "date" : "", "content" : "The Resilient integration is set up in the program’s settings and is specified to send notifications for activities in that program. There is no limitation on the number of projects that can be set up with the Resilient integration.To push or view an issue in Resilient, you must be authenticated as Bugcrowd will not collect any authentication permissions.Setting Up IBM Resilient Integration Go to Settings &gt; Integrations. In IBM Resilient, click Add integration. Click Add IBM Resilient Integration to setup your project. Specify the following information: Integration Name: Provide a name for the integration. Instance: Specify the Resilient instance URL. Integration status: Select Enabled for allowing submissions to be pushed to Resilient. By default, it is Disabled. Click Save Integration. The integration project is displayed in the IBM Resilient integrations page. To setup another integration project, click Add IBM Resilient Integration and perform the same steps. If you have setup the Resilient integration project appropriately, then Connected is displayed on the Integrations page. It also shows the number of project instances that are configured. You cannot delete a Resilient integration project. You can only disable the integration setup. Pushing Submissions to Resilient After you have setup and enabled IBM Resilient integration, you can go to any submission and click Push to IBM Resilient. The Push to Resilient Integration pop-up window is displayed. If you have setup multiple integration projects, then the Push to IBM Resilient link will be displayed for each integration in the submission. You can push the submission to the required Resilient integration project. To create the incident in Resilient, click Create the incident. The Create New Incident page displays the contents of the submission. You can edit the information before creating the incident. Click Create. The incident is created in Resilient. Copy the ID number from the incident page. Go back to the Push to Resilient Integration pop-up window and enter the incident number in External Link ID. Click save. The ID is displayed on the submission as a link. Click this link to access the Resilient incident within Crowdcontrol for further updates. Editing Existing Resilient IntegrationTo edit an existing Resilient integration: On the IBM Resilient Integrations page, click the integration that you want to edit. Update the required information in the following fields: Integration Name: Update the name of the integration. Instance: Specify the Resilient instance URL. Integration status: Select Enabled to push submissions to Resilient. Else, select Disabled. Click Save Integration. The integration project is saved. " } , { "title" : "ServiceNow", "category" : "customer", "tags" : "integration-management", "url" : "/customers/integration-management/servicenow/", "date" : "", "content" : "Must be Authenticated: To push/view an issue in ServiceNow, you’ll need to be authenticated since we will not be collecting any authentication permissions.Setting up a ServiceNow integration is detailed in the steps below.1. Go to program settingsFirst, navigate to your Program Settings and select the Integrations tab.Program Specific Integration: The ServiceNow integration is set up in the program’s settings and is specified to send notifications for activities in that chosen program. There are no limitations to the number of projects that can be set up with the ServiceNow integration.2. Navigate to the ServiceNow Integration SettingsNext, select the Add Integration button for ServiceNow.3. Add ServiceNow IntegrationOnce on the ServiceNow integration page, setup your first project with the Add ServiceNow Integration button.4. ConfigurationUpon selecting the Add ServiceNow Integration button, you will be brought to a form so we can setup the needed details to enable pushing issues to ServiceNow.5. Push to ServiceNowOnce you have the integration setup and enabled, you can go to any submission and click Push to ServiceNow.Clicking the link opens a modal providing a link to open the corresponding issue in ServiceNow. Click that.6. Open Issue in ServiceNowThe Submission contents are filled within the Incident form, enabling you to further edit it before submitting.7. Saving the ID MappingOnce the Issue is saved, grab the Number from the Issue page and go back to Crowdcontrol where we will save it.Fill in the ID number within the modal form, saving it within Crowdcontrol.This makes it easy to access the ServiceNow Incident within Crowdcontrol for further updates." } , { "title" : "Slack", "category" : "customer", "tags" : "integration-management", "url" : "/customers/integration-management/slack/", "date" : "", "content" : "Depending on the type of action, each notification provides specific information and additional links to direct you into Crowdcontrol making it easy to view the program, submission, target, or researchers profile (if public).Setting Up Slack Integration Go to Settings and click the Integrations tab. In Slack, click Add Integration. Click Add to Slack. From Post to drop-down menu, select the channel or an individual based on your organization’s needs where you want to receive notifications. Click Allow. The Slack application is integrated and the Slack Authorization Successful message is displayed as shown. If the configured Slack channel is disconnected, the Unable to connect to Slack message is displayed as shown. Click Add to Slack and add the Slack integration again. Configuring Slack NotificationsYou can enable or disable the notifications when a submission: Is created Moves to triaged Moves to Unresolved Moves to Resolved Is rewarded Is commented on by a researcher Has a private note added Has a blocker created/resolved (notification includes blocker details and link to submission)To enable notification, move the required slider to the right. To disable, move the required slider to the left.Reconfiguring Slack Authorization To reconfigure the slack authorization, click Reconfigure as shown. From the Post to drop-down menu, select the channel or an individual based on your organization’s needs where you want to receive notifications. Click Allow. The Slack application is integrated and the Slack Authorization Successful message is displayed as shown. Enabling or Disabling Integration StatusBy default, the integration status is enabled (slider is moved to the right as shown). To disable the integration status, move the slider to the left.When you enable or disable the integration status, the following message is displayed.Deleting Slack IntegrationTo delete the Slack integration, click Delete.A pop-up message is displayed asking for confirmation. Click Delete.The integration is deleted from Bugcrowd and the page where you can revoke authorization is displayed.Revoking AuthorizationTo revoke authorization, click the Delete icon for the user as shown.A pop-up message asking for confirmation is displayed. Click Revoke.The authorization is successfully removed message is displayed as shown.Accessing Bugcrowd from the Slack App StoreBugcrowd is now available in the public Slack app store. You can access it from https://slack.com/apps or directly from Bugcrowd app.Slack Notifications ExampleThe following message is received in the configured Slack channel when a vulnerability is submitted.When our triage team evaluates the submission, the following message is received in the Slack channel when there is a comment on a submission and you can keep up to date on their comments." } , { "title" : "Trello", "category" : "customer", "tags" : "integration-management", "url" : "/customers/integration-management/trello/", "date" : "", "content" : "You set up an integration with Trello on a per program basis, which means that you can choose the individual bounty programs that you want to integrate with Trello.After you set up the integration, all submissions that have an “Unresolved” state are pushed to Trello in the format that you choose.Generate an API Token in TrelloTo set up the Trello integration, you need to generate an API token that allows Bugcrowd to authenticate to Trello’s API.Log in to Trello to get an API key.Keep the API key handy. You’ll need it for the next step.Set Up the Trello Integration in CrowdcontrolIn Crowdcontrol, go to the Program Settings and select the Integrations tab.Find the Trello option from the list of available services and click the Add Integrations button to display the Trello Integration Page.Enter the following information for the Trello settings: Name: A name for the integration. This can be anything. Trello API Token: The API token you generated in Step 1. Username: Your Trello username.After you enter your details, click Update Integration.Create Cards in Trello for Crowdcontrol IssuesNow that you have set up the integration with Trello, you can automatically create cards for Crowdcontrol issues. Choose the board list you want to use to create and add cards. Save your changes. The Connected status displays under the Trello logo. " } , { "title" : "Target Management", "category" : "customer", "tags" : "program-management", "url" : "/customers/program-management/adding-defining-targets/", "date" : "", "content" : "Adding Targets On A ProgramA Program Administrator or Organization Owner may search and add a number of targets to a program on the Program Scope page.To add targets: Navigate to the Program Settings page by clicking on the Settings tab on the Crowdcontrol Navbar. Feature Restriction: Targets may only be manually added and removed by a user before a program has been launched live. Once the program has been launched live, contact your Account Manager to add or remove any targets. Select the Program Scope tab. To add new targets, go to the form at the bottom of the page. Once you select the target input within the form, it will provide a list of unassigned targets from the organization. Adding New Targets At A Program Level: New targets created at the program level will automatically be available within the Organization Target Directory as well. Select a pre-existing one, or input a new target if none match. Selecting Category When adding or updating a target, assign the appropriate target ‘category’ by using the drop down arrows as seen in the image below. Categorize the target based on one of the seven different types of targets provided in the drop down menu. Select the type that best fits your target, categories include website, API, IOS, Android, IOT, hardware, and other. Set Target In or Out Of ScopeNext, use the drop down arrow in the scope field to identify whether the target is in scope or out of scope.Scoping Targets: What’s In and What’s Out?Use the following three resources to help better understand and identify which targets should be set in or out of scope: The Anatomy of a Bounty Brief Creating a Scope Defining ExclusionsTargets will be labeled as ‘In Scope’ or ‘Out of Scope’ on the bounty brief as shown in the image below.Reordering Targets in a ProgramThe order your targets appear on your program brief and submission form can increase their visibility to researchers. To increase awareness around critical targets, you may want to arrange them based on their business impact. That said, you can arrange them in any order that makes the most sense to your program.To reorder the targets in a program: Go to Settings to view your program settings. Go to the Program Scope tab. The Program Scope lists all of the targets that can be tested in your program. Find the target you want to move. Use the Drag button in the Actions column to move the target to its new position in the list.When you are done, you can go to your program brief to verify that the targets have been reordered and categorized based on scope.Editing Existing TargetsBy clicking the pencil icon, one can start editing an existing target.One can tell their target is in an edit state due to the drop-downs becoming visible. Once one makes the appropriate changes, click the checkbox icon to save the changes.If you want to abandon the edits, press the back icon to the right.Adding Targets At An Organization LevelTargets added to the Organization Target Directory are added at an Organization Level as a part of a customer’s Crowdcontrol target repository. The targets added to the Organization Target Directory may be used on any of the customer’s bounty programs run on Crowdcontrol.An Organization Owner may add a number of targets to Crowdcontrol by navigating to the Organization Settings page. To do this, click on the gear icon in the upper right-hand corner.Select the Target Directory tab.To add a target to the Target Directory scroll to the bottom of the target list and fill in the form, clicking Create Target once completed.List each target your organization would like to test. Targets listed here will be assignable to any of your organization’s programs on Crowdcontrol." } , { "title" : "Target Management > Re-adding and Restoring Targets", "category" : "customer", "tags" : "program-management", "url" : "/customers/program-management/adding-defining-targets/re-adding-and-restoring-targets/", "date" : "", "content" : "Re-Adding A Target to A ProgramRe-adding a target to a program will add it back to the program brief. Researchers may submit vulnerabilities against this target if it is set in scope. Setting the target out of scope will restrict researchers access to submit against it and will communicate that the target is out of scope.Re-Adding an Archived Target: A target may only be added to a program if it has been added to the target directory. If a target has been archived, it must first be restored before being re-added to a program. Navigate to the Program Scope page To navigate to the Program Scope page, first, select the Program Settings page at the top of the Crowdcontrol navbar. Then select the Program Scope tab as seen in the image below. Search the target When re-adding a target, use the search bar seen below to find the target. Type the first few characters of the target and then find the desired target in the drop-down selection as seen below. In this example we are re-adding the E-Mail Servers. To do this, we entered “e” into the search bar and then selected E-Mail Servers in the dropdown selection. Select the target to be re-added Once you’ve selected the correct target, it will automatically be added back to the program. Restoring An Archived TargetRestoring an archived target will enable Program Admins to add the target to a program.To re-add a target to a program follow the steps below: Navigate to the Target Directory page To navigate to the Target Directory page, first, select the Organization Settings icon on the Crowdcontrol navbar. Then select the Target Directory tab seen in the image below. Search and select the target When restoring a target, use the search bar seen below to find the target. Type the first few characters of the target, then select the target desired in the drop-down selection as seen below. In this example we are restoring the archived.website.com. To do this, we entered ar into the search bar and then selected archived.website.com in the drop-down selection. Confirm the restored target Once you’ve selected the correct target in the dropdown, a pop-up window will appear to confirm restoring this target. To confirm, select the blue Restore button as seen below. " } , { "title" : "Target Management > Removing and Archiving Targets", "category" : "customer", "tags" : "program-management", "url" : "/customers/program-management/adding-defining-targets/removing-archiving-targets/", "date" : "", "content" : "Targets may be removed from a single program in the program settings page; this can be done when you decide to adjust your program’s scope. Removing a target from a program will also remove it from the program brief visible to the researchers. As a result, researchers will no longer be able to submit against this target.Targets may be archived and removed from the platform entirely in the target directory page; this can be done when you decide to remove access to use a target in any program. Archiving a target from the platform will disable the ability for a Program Admin to add that target to a program brief.Archiving Targets: Archiving a target will remove it from the platform. Upon doing so, all existing data and submissions attached to the archived target will be accessible within the platform. In addition, this target may be restored after it has been archived.Limited Role Based Access:The ability to remove targets are limited to specific role based access: Only Organization Owners and Program Admin may remove or edit a target on a single program. Only Organization Owners may remove targets entirely from the platform in the target directory page.Removing Target from a ProgramRemoving a target from a program will effectively change the scope and bounty brief.To remove a target from a program follow the steps below: Navigate to the Program Scope page. To navigate to the Program Scope page, first, select the Program Settings page at the top of the Crowdcontrol navbar. Then select the Program Scope tab as seen in the image below. To the right of the target that you wish to remove, select the delete icon to proceed with removing the selected target. Removal of Program Targets: If your program has yet to launch live, both targets in and out of scope may be removed. If your program is currently running live, ONLY out of scope targets may be removed. Confirm removal of target. A confirmation window will appear, to proceed with removing the target from the program select the red remove button. Removing a Target: Removing a target from a program will no longer allow researcher to submit vulnerabilities against the removed target until the target has been re-added to the program. At this point in time, the target will be removed from the program brief, however, existing submissions attached to this target will be available within the submission inbox. In addition, all submissions attached to this target will be included in all metrics presenting in the Insights page. Archiving TargetsArchiving a target at the organization level will completely remove it from the platform and disable the use of the target on any program.To archive a target follow the steps below: Navigate to the Target Directory. To navigate to the Target Directory page, first, select the Profile icon on the Crowdcontrol navbar. Then select the Target Directory tab seen in the image below. Click Archive. To the right of the target that you wish to delete, select the delete icon to proceed with archiving the selected target. Archiving a Target: Archiving a target in the Target Directory will completely remove the target from the platform. Existing submissions and data attached to this target will be saved and accessible within the platform. This target may be restored to the platform in the target directory. Confirm and proceed to archive. A confirmation window will appear, to proceed with archiving the target from the platform select the red archive button. Archiving a target from the platform will no longer allow Program Admins to add this target to a program. As a result, researcher will no longer be able to submit vulnerabilities against the archived target until the target has been restored to the platform. " } , { "title" : "Adding New Engagement", "category" : "customer", "tags" : "program-management", "url" : "/customers/program-management/adding-new-engagements/", "date" : "", "content" : "You can initiate creation of a new program such as Vulnerability Disclosure program, On-demand program, or Bug Bounty program.To initiate a self-service program, on the Dashboard page, click Start Now.The Select an engagement to launch window is displayed.To proceed, see the following sections based on the type of program you want to create: Adding Vulnerability Disclosure Program Adding On-demand Program Adding Bug Bounty Program" } , { "title" : "Adding New Engagement > Adding Bug Bounty Program", "category" : "customer", "tags" : "program-management", "url" : "/customers/program-management/adding-new-engagements/adding-bug-bounty-program/", "date" : "", "content" : "The steps to add a Bug Bounty program are: Provide a program name Set targets Specify terms and conditions Specify reward range Identify vulnerability concerns Select the crowd Add look and feel Schedule program launch Review details and submitTo add a Bug Bounty program: In the Select an engagement to launch window, click Start for Bug Bounty Program. The Step 1: Program Name page is displayed. Provide a name for your program and click Next step. The Step 2: Set targets page is displayed. Also, the Grant created message is displayed. Click Add target to add the target that must be tested. You can add multiple targets. On each page, you can click Save and complete later to save the information that you have filled and complete the remaining sections at a later time. The Add a target pop-up window is displayed. Specify the following information: Target Name (URL/Location): Select a target from the drop-down menu or specify a new target. Category: If you select an existing target name, then the category is displayed by default. If you have specified a new target name, then select the required category: Website API iOS Android IoT Hardware Other Click Add. The target is added and the Target added to the program scope message is displayed. If you want to edit the target details, click the icon in the Actions column. Click Next step. The Step 3: Terms and conditions page is displayed. You can enable or disable the following options: Use Bugcrowd’s Vulnerability Rating Taxonomy Encourage disclosure of non-target issues Safe harbor agreement Co-ordinated disclosure To enable, move the slider to the right. To disable, move the slider to the left. By default, all the options are enabled. Click Next step. The Step 4: Reward range page is displayed. Set the range of the reward amount the researchers can expect based on the technical severity of the vulnerability. Select the program reward range based on the security maturity of your assets: Basic Intermediate Advanced When you select any of these options, the Low reward and High reward amounts are automatically populated for each technical severity level. The minimum reward amount is $20. You can specify the Maximum advertised reward (greater than P1) that the organization can pay for an exceptional submission. Click Next step.The Identify Vulnerability Concerns page is displayed. Specify the key security concerns you have and the important findings researchers must prioritize. This information helps Bugcrowd to select the best researchers for you. Click Next step.The Step 6: Select Your Crowd page is displayed. Specify the skills that the researcher must have. This will help Bugcrowd to select a security team (researchers) thatmatch these requirements. The skills that you can specify are: Researcher Activities: List the activities researcher will perform. For example, Website testing, API testing. Asset Environments: Specify the environments the targets are running in. Languages and Frameworks: List the programming languages, frameworks, and integrated libraries used by the targets. Hosted and 3rd-party Applications and Services: Indicate whether the targets rely on hosted and 3rd party applications. For example, if the applications is running on a database, then specify MySQL. Click Next step.The Step 4: Add look and feel page is displayed. Specify the following information: Upload a logo: Click Upload logo and specify a logo for your program. Enter a background color for your logo: Provide a RGB hex value for the background color of the logo. Tagline: Provide a tagline for your program. Introduction: Provide a description for your program. This will be displayed as the first paragraph in your Program brief.After specifying the information, click Update preview for viewing your changes. Click Next step.The Step 5: Schedule launch page is displayed. Specify the following information: Preferred private launch timeline: Select an option to indicate when you want the program to start: As soon as possible (default) Within a month More than a month Preferred public launch timeline: Select an option to indicate when you want the launch the program as public after the private launch: Soon after private launch (default) A month after private launch More than a month after private launch Click Next step.The Step 6: Review and submit page is displayed. Review the information that you have provided. In case you want to modify any details, click Edit and make the changes. Click Submit.The Your program has been provisioned message is displayed.Bugcrowd will contact you to review and launch the program. " } , { "title" : "Adding New Engagement > Adding On-Demand Program", "category" : "customer", "tags" : "program-management", "url" : "/customers/program-management/adding-new-engagements/adding-on-demand-program/", "date" : "", "content" : "The information you provide in these steps will define the program scope and rewards. It will also help Bugcrowd identify the right skills and experience from the crowd to make sure maximum program value.The steps to add an On-Demand program are: Provide a program name Set targets Specify terms and conditions Specify reward pool Identify vulnerability concerns Select the crowd Add look and feel Schedule program launch Review details and submitTo add an On-Demand Program: In the Select an engagement to launch window, click Start for On-Demand Program. The Step 1: Program Name page is displayed. Provide a name for your program and click Next step. The Step 2: Set targets page is displayed. Also, the Grant created message is displayed. Click Add target to add the target that must be tested. You can add multiple targets. On each page, you can click Save and complete later to save the information that you have filled and complete the remaining sections at a later time. The Add a target pop-up window is displayed. Specify the following information: Target Name (URL/Location): Select a target from the drop-down menu or specify a new target. Category: If you select an existing target name, then the category is displayed by default. If you have specified a new target name, then select the required category: Website API iOS Android IoT Hardware Other Click Add. The target is added and the Target added to the program scope message is displayed. If you want to edit the target details, click the icon in the Actions column. Click Next step. The Step 3: Terms and conditions page is displayed. You can enable or disable the following options: Use Bugcrowd’s Vulnerability Rating Taxonomy Encourage disclosure of non-target issues Safe harbor agreement Co-ordinated disclosure To enable, move the slider to the right. To disable, move the slider to the left. By default, all the options are enabled. Click Next step. The Step 4: Reward pool page is displayed. In Bounty pool budget, specify the total reward pool for your program. The minimum value is $15,000. Click Next step.The Identify Vulnerability Concerns page is displayed. Specify the key security concerns you have and the important findings researchers must prioritize. This information helps Bugcrowd to select the best researchers for you. Click Next step.The Step 6: Select Your Crowd page is displayed. Specify the skills that the researcher must have. This will help Bugcrowd to select a security team (researchers) thatmatch these requirements. The skills that you can specify are: Researcher Activities: List the activities researcher will perform. For example, Website testing, API testing. Asset Environments: Specify the environments the targets are running in. Languages and Frameworks: List the programming languages, frameworks, and integrated libraries used by the targets. Hosted and 3rd-party Applications and Services: Indicate whether the targets rely on hosted and 3rd party applications. For example, if the applications is running on a database, then specify MySQL. Click Next step.The Step 4: Add look and feel page is displayed. Specify the following information: Upload a logo: Click Upload logo and specify a logo for your program. Enter a background color for your logo: Provide a RGB hex value for the background color of the logo. Tagline: Provide a tagline for your program. Introduction: Provide a description for your program. This will be displayed as the first paragraph in your Program brief. After specifying the information, click Update preview for viewing your changes. Click Next step.The Step 5: Schedule launch page is displayed. In Preferred launch timeline, select an option to indicate when you want the program to start: As soon as possible (default) Within a month More than a month Click Next step.The Step 6: Review and submit page is displayed.Review the information that you have provided. In case you want to modify any details, click Edit and make the changes. Click Submit.The Your program has been provisioned message is displayed. Bugcrowd will contact you to review and launch the program. " } , { "title" : "Adding New Engagement > Adding Vulnerability Disclosure Program", "category" : "customer", "tags" : "program-management", "url" : "/customers/program-management/adding-new-engagements/adding-vulnerability-disclosure-program/", "date" : "", "content" : "The steps to add a vulnerability disclosure program are: Provide a program name Set targets Specify terms and conditions Add look and feel Schedule program launch Review details and submitTo add a Vulnerability Disclosure Program: In the Select an engagement to launch window, click Start for Vulnerability Disclosure Program. The Step 1: Program Name page is displayed. Provide a name for your program and click Next step. The Step 2: Set targets page is displayed. Also, the Grant created message is displayed. Click Add target to add the target that must be tested. You can add multiple targets. The Add a target pop-up window is displayed. Specify the following information: Target Name (URL/Location): Select a target from the drop-down menu or specify a new target. Category: If you select an existing target name, then the category is displayed by default. If you have specified a new target name, then select the required category: Website API iOS Android IoT Hardware Other Click Add. The target is added and the Target added to the program scope message is displayed. If you want to edit the target details, click the icon in the Actions column. Click Next step. The Step 3: Terms and conditions page is displayed. You can enable or disable the following options: Use Bugcrowd’s Vulnerability Rating Taxonomy Encourage disclosure of non-target issues Safe harbor agreement Co-ordinated disclosure To enable, move the slider to the right. To disable, move the slider to the left. By default, all the options are enabled. Click Next step. The Step 4: Add look and feel page is displayed. Specify the following information: Upload a logo: Click Upload logo and specify a logo for your program. Enter a background color for your logo: Provide a RGB hex value for the background color of the logo. Tagline: Provide a tagline for your program. Introduction: Provide a description for your program. This will be displayed as the first paragraph in your Program brief. After specifying the information, click Update preview for viewing your changes. Click Next step.The Step 5: Schedule launch page is displayed. Specify the following information: Preferred private launch timeline: Select an option to indicate when you want the program to start: As soon as possible (default) Within a month More than a month Preferred public launch timeline: Select an option to indicate when you want the launch the program as public after the private launch: Soon after private launch (default) A month after private launch More than a month after private launch Click Next step.The Step 6: Review and submit page is displayed.Review the information that you have provided. In case you want to modify any details, click Edit and make the changes. Click Submit.The Your program has been provisioned message is displayed.Bugcrowd will contact you to review and launch the program. " } , { "title" : "Managing Credentials", "category" : "customer", "tags" : "program-management", "url" : "/customers/program-management/credential-management/", "date" : "", "content" : "Credential AllocationThe Credentials page displays all of the credentials that have been generated for applications in your Program.To view the credentials that are available and currently in use, go to your program settings and view the Credential buckets tab.As shown below, this program has three sets of buckets for different types of credentials. Crowdcontrol supports the following credential types: Email Text Traffic ControlWith each bucket one can see the assigned, available and archived credentials along with the allocation strategy per research.Viewing credential assignmentWhen clicking into a credential bucket, one can see settings related to it, and which specific credentials have been assigned so far.Credentials are distributed via researcher within the bounty brief. As they click the below button, a sets of credentials from each bucket are allocated." } , { "title" : "Generating Reports", "category" : "customer", "tags" : "reporting", "url" : "/customers/program-management/generating-reports/", "date" : "", "content" : "Program Summary ReportThe Program Summary Report provides information about the performance of your bounty or vulnerability disclosure program. If you are running an ongoing program, the Program Summary Report provides the information you need to find key data points and trends, so that you can assess the success and value of your program. The Program Summary Report is generated as a PDF file to enable sharing the performance metrics with stakeholders in your organization.Program Report for On-Demand Programs: You can generate the Program Summary Reports for ongoing programs only. For on-demand programs, Bugcrowd generates the Program Summary Report and delivers it to you at the end of your program.The Program Summary Report includes the following sections: Executive Summary: Provides a brief synopsis of the contents and purpose of the report. Reporting Methodology: Describes the diversity of testing methodologies used during the test. Targets and Scope: Provides information about the tested targets and the Bugcrowd team members assigned to the program. Findings Summary: Consists of the following sub-sections: Findings by Severity: Includes a graph that provides a high-level view of all valid assessment findings from the program based on technical severity. Risk and Priority Key: Provides detailed understanding of Bugcrowd’s Vulnerability Rating Taxonomy (VRT). Findings Table: Provides an overview of all valid submissions for the program. Vulnerability Details: Provides complete data for each valid submission. Appendix: Consists of the following sub-sections: Submissions Over Time: Includes a bar graph that shows the number of submissions received and validated over a period of time. Submissions Signal: Provides the number of valid, invalid, and duplicate submissions. Also, shows the submissions that are being processed. Bug Types Overview: Includes a pie chart view of valid submissions received based on the vulnerability type and Vulnerability Rating Taxonomy. Spendings of Program Reward Pool: Provides a high-level overview of rewards paid to the researchers. Top 3 Highest Paid Submissions: Provides the title, the link, and the amount rewarded for the top three paid submissions. Closing Statement: Provides a final recount of your program.When you build the Program Summary Report, you can select the sections you want to include or exclude in the report.Program Health and Spend ReportThe Program Health and Spend Report provides an insight into your program spend, and aims to show the Return On Investment (ROI) of your crowdsourced security program. The intended audience for this report is the broader security team and other stakeholders, who may not be aware of day-to-day program operations, but want a quick overview of the program health. The Program Health and Spend Report is generated as a PDF file.The Program Health and Spend Report includes the following sections: Executive Summary: Provides the purpose of the report. Program Performance: Provides information about the number of accepted submissions, number of valid submissions received based on severity, or priority level, and the researcher payment time. Your Investment: Shows the reward expenditure and the teams’ time spent on the platform and the response time to submissions. Bugcrowd’s Role: Provides a breakdown of Bugcrowd’s role in making sure your program’s success. The chosen measure is the response time.Security Posture ReportThe Security Posture Report provides information about the type, severity, the number of vulnerabilities received, your team’s ability to quickly act, and learn from findings. This report helps in identifying trends in response and resolution times, and changes to the received vulnerabilities. Based on industry benchmarks, you can quickly map your progress compared to industry peers. The report is generated as a PDF file.The Security Posture Report includes the following sections: Executive Summary: Provides the purpose of the report and summarizes the report details. Resolution Trend: Includes a graph that shows how quickly your organization is resolving submissions. It shows the time taken between acceptance and resolution for submissions. Opportunities: Provides information about how your organization is performing compared to the peers in your industry. Based on this information along with an understanding of unique industry trends, Bugcrowd may recommend actions that can help to improve submission volume. Security Posture: Provides information about the following: Number of open vulnerabilities for your program. Targets in your program that have the most submissions. Targets that require additional attention from your team. Submissions: Provides details of valid submissions for your program for the last 30 days.Creating a Report Go to the Reports tab and then click the tab for the type of report you want to generate. For example, to generate Security Posture Report, click the Security Posture Report tab. Click Create new report. Provide the following information: Report title: Title for the report. Bounty name: Program name for which you are generating the report. In case of Program Summary Report, you can select any of the following sections to include in your report: Table of contents: Includes table of contents. Target list: Includes the tested targets tested and the Bugcrowd team members assigned to the program. Default executive summary: Includes a brief synopsis of the contents and purpose of the report Submissions index: Includes the Findings Table that provides an overview of all valid submissions for the program. Full vulnerability details: Includes the Vulnerability Details section that provides complete data for each valid submission. Program reward details: Includes the following: Spendings of Program Reward Pool: Provides a high-level overview of rewards paid to the researchers Top 3 Highest Paid Submissions: Provides the title, link, and the amount rewarded for the top 3 highest paid submissions. Click Generate report. The You will receive an email to download the PDF report as soon as possible message is displayed. Viewing ReportIn the email you have received from Bugcrowd, click View Report.The report (in PDF format) opens in a browser and you can download the file.You can also click the report title to view the report.The report title link is active only after the PDF report is generated.Deleting a ReportClick Delete for the report you want to delete.The Report deleted message is displayed." } , { "title" : "Generating Reports > Generating the Program Report", "category" : "customer", "tags" : "", "url" : "/customers/program-management/generating-the-program-report/", "date" : "", "content" : "If you are running an ongoing program, the Program Report will deliver you with the information you need to find key data points and trends, so you can assess the success and value of your program.Program Report for On-Demand Programs: Program Reports can only be generated by customers with ongoing programs. If you are an running an on-demand program, Bugcrowd will continue to generate the Program Report and deliver it to you at the end of your program.Sections in the Program ReportTo help you quickly find the information you care most about, the Program Report includes the following sections: Executive Summary - provides a brief synopsis of the contents and purpose of the report. Reporting Methodology - describes the diversity of testing methodologies used during the test. Targets and Scope - identifies the targets tested and states the Bugcrowd team members assigned to the program. Findings Summary - this section consists of the following sub-sections: Findings by Severity - a graph providing a high-level view of all valid assessment findings from the program by technical severity. Risk and Priority Key - a detailed understanding of Bugcrowd’s Vulnerability Rating Taxonomy (VRT) delivering clarity around how vulnerabilities are rated. Findings Table - an overview of all valid finding on the program. Vulnerability Details - full submission data for each valid finding. Appendix - distills submissions data into the following sub-sections: Submissions Over Time - a bar graph showing the number of submissions received and validated over a period of time Submissions Signal - a detailed breakdown of submissions identifying the number of valid, invalid, duplicate, and processing vulnerabilities giving you a view of the program’s signal. Bug Types Overview - a pie chart view of valid submissions received by the vulnerability type, based on the Vulnerability Rating Taxonomy. Spendings of Program Reward Pool - a high-level overview of rewards paid out to the researchers. Top 3 Highest Paid Submissions - the title, the link, and the amount rewarded for the top 3 highest paid submissions. Closing Statement - provides a final recount of your program.When you build your report, you can select the sections you want to include or exclude in your report.Generating a Program Report Go to the Insights page. To generate a Program Report, go to the Insights page and click the Program Report tab. This page displays all of your generated reports. Click the New Report button. Fill the Report Options. When the Report Options window appears, provide a name for the report, specify a date range, and choose the sections you want to include in the report. Report Options include: Report Title - type in the name of your report. Submitted At - use the drop-down arrow to select a specified date range for the Program Report. Targets and Scope - check the box to include the Targets and Scope section that shows the targets tested and states the Bugcrowd team members assigned to the program. Submission Inbox - check the box to include the Findings Table, an overview of all valid finding on the program. Full Vulnerability Details - check the box to include the Vulnerability Details section that shows full submission data for each valid finding. Program Reward Details - check the box to include the Spendings of Program Reward Pool, a high-level overview of rewards paid out to the researchers, and the Top 3 Highest Paid Submissions, which provides the title, the link, and the amount rewarded for the top 3 highest paid submissions. Generate the Program Report. When you are ready to build the report, click the Generate Report button. " } , { "title" : "Image Embed Authentication", "category" : "customer", "tags" : "program-management", "url" : "/customers/program-management/image-embed-authentication/", "date" : "", "content" : "Image embeds within submissions and comments enable more detailed reports that are easier to review and understand. With this functionality, we now push the URL of the image within the following: API CSV Export IntegrationsWith this, we give customers control to disable requiring authentication to Crowdcontrol for access to images. With this disabled, workflows where those downstream lack platform access, one can still have access to the context of the report. This settings is available within Program Settings &gt; Field and Settings.By default authentication is required.Image URL Security: The URL of the image is designed to avoid the ability to brute-force or guess." } , { "title" : "Inviting Researchers", "category" : "customer", "tags" : "program-management", "url" : "/customers/program-management/inviting-researchers/", "date" : "", "content" : "You can now invite researchers to your program using their email address. This is possible only if the researcher is already on the Crowdcontrol platform.To send an invitation to a researcher: Select the program for which you want to send an invite to the researcher. Click the Researchers tab and then click Invitations. The Invitations page is displayed. In Researcher email address, specify the email address of the researcher to whom you want to send the invitation. Click Invite researcher. If the researcher has a Bugcrowd account and is not banned from the platform, your organization, or the specific program, then the invitation is sent to their email address. If the researcher accepts the invitation, then it is displayed in the Invited Researchers section. " } , { "title" : "Import Known Issues", "category" : "customer", "tags" : "program-management", "url" : "/customers/program-management/known-issues-imports/", "date" : "", "content" : "Known issues may be imported into Crowdcontrol using a CSV file and the proper formatting. These submissions can only be uploaded by a Organization Owners or Program Administrators.For a more automatic means of importing issues, see our API’s ability to create submissions.Be sure that all the information is correct before importing: Once a submission is uploaded, edits may only be made to the ‘submission title’ or internal bug type in the Crowdcontrol UI. All other edits will be handled by Bugcrowd engineering. This includes a mistake with a researcher’s email. If this happens send an email to support@bugcrowd.com immediately.To import any known issues, go to Settings &gt; Import Issues.This Import Issues page identifies the proper formatting and required fields to use when importing your CSV file. If errors within the format are found upon uploading, the CSV will list the errors to be fixed.Once the known issues have been properly formatted in a CSV file, click the Import Known Issues button at the bottom of the page and select your saved CSV file to upload your submissions.Additional Formatting Help: Downloads an example CSV document by clicking the Download Example CSV button so one can investigate the scheme. Download a JSON file with the schema to validate your CSV file by clicking Download CSV Schema.Once successfully uploaded, an email with a report will be sent to the user who initiated the import. This report will include links to all submissions that successfully imported along with error messages, if there were any errors in processing.If there are any researcher emails specified, a notification will be sent to them via email, so that they can claim their submissions through Crowdcontrol." } , { "title" : "Navigating between Programs", "category" : "customer", "tags" : "program-management", "url" : "/customers/program-management/navigating-programs/", "date" : "", "content" : "If your company runs multiple programs, you can switch between them without having to login to different accounts. Click on the Program drop-down. Click on the current program’s name to display a drop-down list of all active programs for your organization. Each program uses colors to display three key stats: Gray: Number of submissions that are being processed Blue: Number of triaged submissions Green: Number of resolved submissions Select a Program. From the dropdown list, click on the program you would like to access. " } , { "title" : "Updating Program Brief > Program Announcements", "category" : "customer", "tags" : "", "url" : "/customers/program-management/program-announcements/", "date" : "", "content" : "You can announce the following: New feature or release Changes to program brief Reward structure changes Bonus reward periods Changes in program scopeNavigating to AnnouncementsGo to Settings and click Announcements.The Announcements page is displayed.Creating an AnnouncementOn the Announcements page, click Create announcement.Selecting an Announcement TypeSelect any of the announcement type as mentioned in the following table. Announcement Type Description Bonus rewards Bonus reward changes. Program pause Program is paused. Program unpause Program is reopened. Scope update Changes in the program scope. Scope increase Recent changes or updates to the target for a program. Scope decrease Program scope is reduced. Out of scope Program is now out of scope. Stop testing Researchers must stop all the testing activities. Stop scanner traffic Researchers must discontinue using the automated vulnerability scanners on the program. Reward delays Delay in the rewards. Reward increase Increase in the reward range. Reward decrease Decrease in the reward range. Other Any other information. The New Announcement page is displayed, where you can add the announcement details.Adding Announcement DetailsBased on the announcement type, the Title and Body fields display default text. You can use this text as a template to update a specific information or delete this text and add new content. In the Body field, you can style your text using the Markdown syntax. For more information, see using markdown for formatting content.Also, a message is displayed at the bottom of the page that provides information about the number of researchers (subscribed to your program) to whom the announcement will be sent as an email.If you want to save the announcement as a draft and publish at a later time, click Save draft.Publishing an AnnouncementAfter adding the announcement information, click Publish.The announcement is emailed to the researchers who have “subscribed” to the program.Also, the announcement is listed on the Announcements page as shown. The following information is displayed for the announcement: Title: Title of the announcement. Published At: Date when the announcement was published. If the announcement is not published, then Not Published is displayed. Template: Announcement type that was selected when creating the announcement. Status: Status of the announcement. If it is published, then the status is Published. If it is saved as a draft, then the status is Draft. Recipients: Number of recipients to whom the announcement is sent.The researchers receive an email only when the announcement is published for the first time. If you make any changes to a published announcement, then they are available in the Program’s Announcements page and an email is not sent to the associated researchers.Editing an AnnouncementOn the Announcements page, to edit an announcement, click the required announcement title.The Edit Announcement Title page is displayed.In the Title and/or Body fields, update the required content.Click Publish changes.The changes are published and appears on the Program’s Announcements page for the researcher." } , { "title" : "Updating Program Brief > Setting Program Reward Ranges", "category" : "customer", "tags" : "", "url" : "/customers/program-management/setting-program-reward-ranges/", "date" : "", "content" : "Crowdcontrol makes it easy to communicate clear reward ranges directly on your bounty brief, based on the technical severity of the vulnerability.Set Prior to Program Launch: Reward ranges may only be set by the owner, admin, or analyst prior to the program going live. Once the program is live, you must send an email to support@bugcrowd.com to edit the reward range.To set up bounty reward ranges on your program brief follow the steps below: Navigate to the Settings page.Navigating to the settings page will bring you to the program brief tab. Scroll to Program Rewards. Set a Maximum Advertised Payout.This maximum payout will be visible to the researcher upon invite to a private program. Providing researchers insight into the maximum payout is helpful information to help them decide whether they’d like to participate in your program and ensures those who accept the invitation, will be actively testing. Set reward ranges for each technical severity. There are a few options when setting reward ranges: You can set a minimum and maximum for a specific severity by filling in both the Low Reward and High Reward field. The reward range will be displayed in the program brief as seen on the image below. You can set a range up to a specific amount for a specific severity by filling in the High Reward field and leaving the Low Reward field empty. The reward range will be displayed in the program brief as seen on the image below. You can set a range to start at a specific amount for a specific severity by filling in the Low Reward field and leaving the High Reward field empty. The reward range will be displayed in the program brief as seen on the image below. Or, if you wish to not pay for a specified vulnerability severity, leave the field blank. If left blank, a notification below the reward range will highlight which severity levels will not receive rewards. Researchers will still receive the appropriate kudos points for these submissions. On-demand Programs: For On-demand programs, you must specify both Low Reward (minimum) and High Reward (maximum) for a priority level. When the program closes, the reward pool is divided based on a calculation. Hence, the minimum and maximum values sets the limit on how the reward pool is divided. Update the Program. " } , { "title" : "Updating Program Brief", "category" : "customer", "tags" : "program-management", "url" : "/customers/program-management/updating-program-brief/", "date" : "", "content" : "You can specify details such as brand color, organization logo, program name, tagline, description, targets, rewards, and known issues. You can also request the safe harbor status and update the CrowdStream settings. Researchers read the Program Brief to understand the scope and purpose of the program, and view the targets that you want them to test.See the following links for tips and tricks to write a successful Program Brief: Do’s and dont’s of writing Program Brief Bounty brief anatomyNavigating to Program BriefGo to the program’s Settings tab. The Program brief page is displayed.Setting Your Brand Color and Organization LogoTo set the brand color, in the Your brand section, click within the displayed text box (top right corner) and specify the hex value for the required color.To change the organization logo, click on the displayed the logo and choose the new logo.Specifying Program Name, Tagline, and DescriptionIn the Your brief section, specify the information for the fields provided in the following table. Field Name Description Name Descriptive name for the bounty program such as the name of your company or the application that is being tested. Tagline Short sentence that concisely describes your company, product, or bounty program. Description Details about the goal of your bounty program. To style your text, you can apply the Markdown syntax. For more information, see using markdown for formatting content. For the Tagline and Description examples, see public program listing.Embedding Images for Description and Target InformationYou can embed images in the Description or Target information markdown fields or attach images for clarifying the program scope to researchers. To embed images, you can drag-and-drop to the image into the field, or paste the images in the field. You can also click selecting and specify the image that you want to attach.For more information, see embedding images section in using markdown for formatting content.Adding Target InformationA target is a Web application, mobile application, API, IoT device, hardware, or a website you want to include in your bounty program.You can add or remove targets manually before a program is live. After the program is live, contact your Account Manager to add or remove any targets.To specify the target information, in the Your brief section, provide information about the program scope including details about the added targets. Emphasize explicitly the in-scope targets, out-of-scope targets, focus areas, and so on. To style your text, you can apply the Markdown syntax. For more information, see using markdown for formatting content.You can add targets in the Program scope tab. For more information about targets, see target management.Adding Program RewardsYou can specify the payment ranges that the researchers can expect based on the technical severity of the submission. The reward amounts are applicable for valid submissions when the submission moves to the Unresolved state. Unrewarded severity categories are left blank.To add the reward ranges, in the Reward ranges by severity section, specify the reward amount in the Low reward and High reward fields for the technical severity level. The minimum monetary reward is $20.In the Maximum advertised reward field, specify the maximum reward (more than the highest P1 reward) that the organization will pay for an exceptional submission.Displaying Known IssuesYou can display the count of unique and duplicate vulnerabilities in the Program Brief. It includes P1 to P4 submissions in Triaged, Unresolved, Won’t fix, and Duplicate states.To display the known issues in the Program Brief, select the Show Known Issues on program brief option.Requesting Safe Harbour StatusTo indicate safe harbor terms to researchers, you can set and view the program’s safe harbor status within Crowdcontrol.Before requesting for the safe harbor status, make sure that you have met the following requirements for safe harbor compliance: Extending Safe Harbor requires the following authorization and exemptions: Authorization in accordance with Computer Fraud and Abuse Act (CFAA) Exemption from Digital Millennium Copyright Act (DMCA) Exemption from restrictions in Terms and Conditions that may interfere with conducting security research Scope Identify all in-scope assets so that there is no ambiguity around ownership and scope Disclosure Policy Display the program’s policy to help researchers understand the program Any program on Crowdcontrol automatically completes the following requirements: Rewards Whether compensation is provided for (valid and unique) issues, and the form and magnitude of that compensation Official Communication Channels Exhaustive list of the communication methods that are considered acceptable by the organization for receiving and communicating any information associated with potential vulnerabilities Explicit permission to complete researchAfter these are set, researchers can view the program’s status and filter by those with a full and partial safe harbor to make sure they are working on programs that provide them the legal measures they prefer.For more information about safe harbor, see Disclose.io and Safe Harbor. To maintain an up-to-date bug bounty list, open a PR on Disclose.io within GitHub.After you have met the preceding requirements, in the Program sage harbor status section, click Request safe harbor update to update the safe harbor compliance for the program.Updating CrowdStream SettingsCrowdStream is Bugcrowd’s public activity feed and displays the activities for rewarded submissions, accepted submissions, resolved submissions, and co-ordinated disclosures. You can perform the following: Enable CrowdStream Visibility for Program Enable or disable researchers to request submission disclosureFor further information, see setting CrowdStream activity feed visibility.Previewing Program BriefAfter you have provided all the required information, click Generate brief preview.Click Preview program brief. A preview of the updated Program Brief opens as a separate page and displays the information in the way it will appear to the researcher.Preview Link: The preview link does not expire and may be used by anyone who retrieves this link. Anyone who has this link may participate in the bounty program, even if it is private. This link is for internal use only and should not be distributed to outside researchers.To clear the preview link, click Clear preview link.Saving Program Brief InformationTo save the information you have provided in the various sections, click Update program.The Program Brief is updated and the researcher can view this information." } , { "title" : "Understanding Roles and Permissions > Adding New Team Members", "category" : "customer", "tags" : "", "url" : "/customers/role-and-account-management/adding-team-members/", "date" : "", "content" : "Crowdcontrol enables you to engage multiple members of your organization to participate in your bug bounty programs. You can invite new users and assign roles to them based on the tasks you want them to perform. For example, you can provide a team member with an administrative access level to pay out rewards or you can grant them basic access level to view submissions. You can perform all team member management tasks on an Organization Level in Organization Settings or on a Program Level in the Program Settings.Role Requirements for Adding New Members: Your ability to invite new team members depends on the permissions assigned to your role. Only Organization Owners and Program Administrators can invite new users or remove users on the platform. Learn more about roles and permissions.For more information about adding new members, see the following: Adding Members at the Organization Level Adding Members at the Program Level Accepting Invitation Resend Invitation Email" } , { "title" : "Understanding Roles and Permissions > Accepting Invitation", "category" : "customer", "tags" : "account-management", "url" : "/customers/role-and-account-management/adding-team-members/accepting-invitation/", "date" : "", "content" : "Once a new team member has been invited to Crowdcontrol by either an Organization Owner or a Program Administrator, the user will receive the email seen in the image below.To accept the invitation to Crowdcontrol, select Accept the Invitation.The user is redirected to Crowdcontrol. Fill out the form to set the Display name and user password. Enter the password twice and then select the orange Accept the Invitation button to activate the account." } , { "title" : "Understanding Roles and Permissions > Adding Members at the Organization Level", "category" : "customer", "tags" : "account-management", "url" : "/customers/role-and-account-management/adding-team-members/organization-level/", "date" : "", "content" : "If you are an organization owner, you can add new members to your organization. To do this, go to your Profile and Organization Settings menu and click Team members.The Organization’s Team Members page is displayed.Invite Team Member to CrowdcontrolTo invite a new team member to Crowdcontrol, click Invite a team member.A pop-up invitation form will appear.Fill the Invitation FormType the email address of the team member you want to invite to Crowdcontrol.Select Invite this user as an owner if you want to assign the Organization Owner role.Organization Owner vs. Organization Member: Organization Owners have access to all programs and submissions at an organization level. Organization Members have access to all submissions on programs they have been assigned to. Learn more about roles and permissions.Last, if the member is chosen as an Organization Owner finish the invitation process by clicking Send invite.If you want to assign another role, from the drop-down menu, select the appropriate role for each program the team member will be participating on. Then, click Send invite.An invitation email will be sent, the new team member will now have to accept the invitation.Choosing Roles for Members: Members should be given the appropriate role on each program according to their program responsibilities. Any program that is not applicable to the member, keep the role set to No Permissions - this will explicitly restrict program access to this specific user.Learn more about roles and permissions.API Keys: You can also view the API keys being used, expired, or inactive and revoke the tokens as required. For more information, see viewing API keys." } , { "title" : "Understanding Roles and Permissions > Adding Members at the Program Level", "category" : "customer", "tags" : "", "url" : "/customers/role-and-account-management/adding-team-members/program-level/", "date" : "", "content" : "If you are a program administrator, you can add members to your program. To add members to your program, go to Program Settings.Then select the Manage Team tab.Upon selecting the Manage Team tab, the Program Team Members page will appear as seen in the image below.Invite Team Member to CrowdcontrolTo invite a new team member to Crowdcontrol, select the Invite A Team Member button on the right side of the Program Settings &gt; Organization Team Members page.An invitation form will appear as seen below.Fill the Invitation FormFirst, type the email address for the team member you want to invite to Crowdcontrol.Continue filling out the form by using the drop-down arrow to assign the new member the appropriate role - Administrator, Analyst, or Viewer.Choosing Roles for Members: Members should be given the appropriate role on according to their program responsibilities. Learn more about roles and permissions.Finish by selecting the Invite button. An invitation email will be sent, the new team member will now have to accept the invitation." } , { "title" : "Understanding Roles and Permissions > Resend Invitation Email", "category" : "customer", "tags" : "", "url" : "/customers/role-and-account-management/adding-team-members/resend-invitation-email/", "date" : "", "content" : "An invitation email may be re-sent to a user that has yet to accept an invitation to Crowdcontrol.This can be done by an Organization Owner on the Organization Team Member page or by the Program Administrator on the Program Team Member page.Resend as an Organization OwnerSelect the Resend button located under the new member’s email as seen below.A pop-up window will appear, to finish resending the invite, select the Proceed button seen below.Resend as a Program AdministratorSelect the Resend button located under the new member’s email as seen below.A pop-up window will appear, to finish resending the invite, select the Proceed button seen below." } , { "title" : "Understanding Roles and Permissions > Assigning Removing Member Roles", "category" : "customer", "tags" : "", "url" : "/customers/role-and-account-management/assigning-removing-member-roles/", "date" : "", "content" : "Crowdcontrol enables you to engage multiple members of your organization to participate in your bug bounty programs. You can invite new users and assign roles to them based on the tasks you want them to perform. For example, you can provide a team member with an administrative access level to pay out rewards or you can grant them basic access level to view submissions. You can perform all team member management tasks on an Organization Level in the Organization Settings or on a Program Level in the Program Settings.Role Requirements for Assigning/Removing Members: Your ability to add, change or remove a team member’s role(s) depends on the permissions assigned to your role. Only Organization Owners and Program Administrators can adjust members roles on Crowdcontrol. Learn more about roles and permissions.Go to the Team Members SectionGo to the Profile and Organization menu and choose Team from the Organization Settings.When the Organization Members page appears, it displays a list of team members in the program.Adding a Role for a MemberOn the Team Member page, find the desired team member. Inside their program role box, click on Add a role.A pop-up screen will appear.Use the first drop-down arrow to select a program the member will participate in - use the second drop-down arrow to select the appropriate role on the program selected for that member.Changing Member’s Role on a ProgramGo to the Program Settings. Choose the Manage Team tab.On the Manage Team page, find the desired team member. Inside their program role box, use the drop-down arrow to change the member’s role on the program.Select the role that is most applicable to the team member’s responsibilities on the program.Removing Member from a ProgramOn the Manage team page, find the desired team member. Inside their program role box, clickD Remove next to the member’s role to remove the member from the program.A pop-up screen will appear. Confirm that you want to remove the team member from the program.Removing All Roles for a Team MemberAn Organization Owner can remove all roles assigned to a member at one time. To do this, go to the Profile and Organization menu and choose Team.Inside their program role box at the top right corner, select the more options (three dots) icon and select Clear assigned roles.Click the OK button to remove the member from all assigned program roles.Removing Member from CrowdcontrolOn the Manage Team page, find the desired team member. Inside their program role box at the top right corner, select the more options (three dots) icon.Select Remove from organization from the menu.A pop-up window will appear. Click Proceed to remove the member from Crowdcontrol." } , { "title" : "Update Personal Settings > Managing Sessions and Logouts", "category" : "customer", "tags" : "", "url" : "/customers/role-and-account-management/managing-sessions-and-logouts/", "date" : "", "content" : "Each time you log in to Crowdcontrol from a unique device, a new active session is created for your account. Sessions track your IP address, operating system, and browser type, so you can identify any unusual activity on your account. If there are any unauthorized sessions on your account, you need to immediately revoke the sessions and contact Bugcrowd.For security purposes, Crowdcontrol will enforce re-authentication after two hours when you try to access certain areas of the platform. For example, if you want to modify your security settings or manage your account settings, you’ll need to re-authenticate to gain access.If you have additional security measures on your account, such as SSO, you’ll need to log in again through your provider.Viewing Active SessionsTo see a list of all active sessions for your account, go to your Account settings and navigate to the Security tab. To quickly access this area, go to active sessions. You’ll be able to see your current session and revoke any active session you want.Revoking a SessionYou can log out of a session by revoking it. To revoke a session, go to your Account settings and navigate to the Security tab. To quickly access this area, go to active sessions. You’ll be able to see a list of all active sessions. Revoke the session you no longer want to keep active." } , { "title" : "Managing Notifications", "category" : "customer", "tags" : "account-management", "url" : "/customers/role-and-account-management/notification-settings/", "date" : "", "content" : "Notifications alert you when something occurs in a program that requires your attention. Crowdcontrol offers a tailor-made notification experience allowing you to customize when and where you’d like to be notified. Choose to get notifications when: You are assigned to a submission. There is activity on a submission that you have subscribed to. You are mentioned in a submission comment. A submission has changed to a status that is of interest to you.Updating General Activity SettingsYou have the power to decide if and how you’d like to receive general activity notifications. General notification includes team notes, replies from researchers, submission state changes, and rewards paid out a researcher.To adjust your general activity notification settings, go to your Notifications settings. Choose to receive general activity notifications in-app, both in-app and email, or not at all.Updating Email Notification SettingsYou can update your email notification settings to receive alerts when a submission changes to a specific status. To adjust your notification settings, go to your Notification settings and select the submission statuses you would like to be alerted about.Updating Automated Subscription SettingsYou can manage when you are automatically subscribed to a submission based upon a specific action. Choose to be automatically subscribed to a submission when: You edit or comment. You are @bugcrowd or assigned. A submission is moved to a specific state.To adjust your automated subscription settings, go to your Notifications settings. Select the particular settings that fit your needs.Get Email Notification for Activity on Subscribed Submissions: In order to receive notifications on the submissions you are subscribed to, you need to enable the Activity on subscribed submissions option in the email notification settings.Viewing NotificationsThe Notifications page lists the submissions that have alerts for you to review. From the Notifications page, you can filter submissions, update your notification settings, unsubscribe from notifications, and mark your notifications as read.To access the Notifications page, click the Notifications icon next to your avatar.Each submissions has an alert that shows you how many notifications it has. All notifications are grouped per submission.You can click on a submission to view it. After you view a submission, its notification will be removed from the Notifications page.Filtering NotificationsYou can apply filters to only show the notifications you want to see. Filters are available for unread notifications and programs.Clearing NotificationsAfter you view a view the changes in the submission, the notification will be automatically cleared from the Notifications page.If you don’t want to review any submissions, you can mark them all as read.Once you refresh, the Notifications page will be empty.Unsubscribing from Submissions from the Notifications PageWhen there is activity on a submission that you’re subscribed to, you’ll receive a notification via email and in Tracker. If you no longer want to receive notifications for submissions, you can unsubscribe from them.You can choose to unsubscribe from all the submissions that are in the inbox or unsubscribe from individual submissions.To unsubscribe from a specific submission, click the star next to the submission.To unsubscribe from all the submissions, click Unsubscribe All.To resubscribe to a submission, you’ll need to do it from within the submission." } , { "title" : "Managing Notifications > Auto Escalation", "category" : "customer", "tags" : "account-management", "url" : "/customers/role-and-account-management/notification-settings/auto-escalation/", "date" : "", "content" : "When a critical vulnerability is discovered, it is pertinent the right people are notified immediately to ensure it is quickly remediated. To best ensure users are aware of submissions that need immediate attention, Crowdcontrol offers auto-escalation functionality that will automatically kick-off an email notifying selected email addresses of a critical (P1) submission. The email notification will be sent after a Bugcrowd Application Security Engineer has triaged and confirmed a P1 vulnerability has been found. Set up a list of email addresses in Crowdcontrol to ensure the right people are notified so they can take action and eliminate the risk.Single Email to Group Per Escalation: A single email will be sent per escalated submission to the entire mailing list of recipients (5 min delay).Setting Up Auto-EscalationTo set up the auto-escalation, you’ll need to be an organization owner or program admin, and complete the following:Per Program Basis: Auto-escalation can be enabled on a per program basis ONLY. Navigate to Settings. Go to the Settings page of your program located on the right side of the Crowdcontrol navbar. Select the Manage Team tab. On the right-hand side of the Manage Team page, enter one or more email addresses of the team members to be notified by email whenever a submission has been triaged as a critical (P1) vulnerability. To add an email, enter an email address and select the ADD button. Removing Email Address for Critical Submission Auto-EscalationTo remove an email address from the critical submissions auto-escalation list, click REMOVE next to the email address you would like to remove. Removing an email address from this list will ensure automated notification emails will no longer be sent to the removed email address.Example of Auto-Escalation Email" } , { "title" : "Update Personal Settings > Two-Factor Authentication", "category" : "customer", "tags" : "", "url" : "/customers/role-and-account-management/two-factor-authentication/", "date" : "", "content" : "Two-factor authentication (2FA) is a security measure that adds an extra step to your login process to protect the security of your account. 2FA requires that you enter your login credentials along with a secondary piece of information that only you would have, such as a pin that an authenticator sends to your phone.Enable 2FAEnabling 2FA is completely optional, but highly recommended because your program contains sensitive information about potential vulnerabilities and bugs that affect your organization.To enable 2FA: Go to Profile &amp; Account. Go to the Security tab, enter your password, and click the Enable Two Factor Authentication button. Follow the three step process as directed on the screen and then click the Enable button. After you enable 2FA, you will be prompted to enter in your authentication code each time you log in to Crowdcontrol. We’ve included check marks to indicate which team members have their Two Factor Authentication (2FA) enabled. Allowing customers to note who on their team needs to turn on their 2FA to be protected. Using SAML as a means of authentication can leverage two factor through their provider and not the platform, thus we do not display the check next to SAML authenticated users. ![bounty-analyst](/assets/images/customer/two-factor-authentication/bounty-analyst.png) Disable 2FA Go to Profile &amp; Account. Go to the Security tab, enter your password, and click the Two Factor Authentication button. Click Disable Two-Factor Authentication. Once confirmed the page will redirect to the login page. Common issues with 2-Step Verification New Phone Lost StolenFor assistance, send an email to support@bugcrowd.com." } , { "title" : "Understanding Roles and Permissions", "category" : "customer", "tags" : "account-management", "url" : "/customers/role-and-account-management/understanding-roles-and-permissions/", "date" : "", "content" : "Every member of your organization that has access to and engages with your platform has a role. Each role has a defined set of tasks and responsibilities that can be performed.Your organization can create and manage roles for the team members who are part of your platform. This enables you to invite more team members to the bounty program and set the access rights that each member should have.Role TypesRoles are divided into two levels - an organization level and program level.Organization Level Organization Owner: Has full access to all programs and submissions on Crowdcontrol Organization Member: At the lowest level, has access to the Crowdcontrol platform but unable to access programs and submissions until assigned a specific role to a particular programTeam members who have been invited onto Crowdcontrol as a Organization Member but have yet to be assigned a role on a program will not have access to any of the programs or submissions. For information about assigning and removing roles, see adding team members.Program LevelEach Organization Member on the platform may be assigned one of the following roles on each program run on Crowdcontrol: Administrator: Has the ability to reward submissions. Analyst: Has the ability to view and edit submissions. Viewer: Has the ability to view submissions.Assigning Program Roles: An Organization Member can be assigned roles, by the Organization Owner, to any program upon invite or in the organization setting.Role PermissionsEach role has the following set of user permissions: Permission Organization Owner Program Administrator Program Analyst Program Viewer Access to Crowdcontrol X X X X View submissions X X X X Set submission statuses X X X   Prioritize submissions X X X   Assign submissions X X X   Comment on submissions X X X   Message Researcher X X X   Edit program settings X X     Reward submissions X X     View and export reports X X X X Organization Level View X       Invite Members to Crowdcontrol X       Assign viewers X       Assign analysts X       Assign admin X       Assign owners X       Create programs X       Change the authentication method for the program X       " } , { "title" : "Update Personal Settings", "category" : "customer", "tags" : "account-management", "url" : "/customers/role-and-account-management/update-personal-settings/", "date" : "", "content" : "The password, security settings, and notifications for your account can be managed from your personal settings.Navigate the Personal Settings PageYou can change your password, set up two-factor authentication, and configure your notification settings from your personal settings. To access your personal settings, click on your name and select Profile &amp; Account from the drop-down menu.Set or Update Display nameYour display name can be found in the Personal Details section. To set or update the display name, type in your desired name in the display name field.To save the display name, select the blue Update Profile button.Configure Time ZoneUsers can set Crowdcontrol to reflect their current time zone. This setting can be found in the Personal Details section. To configure the time zone first select the drop-down field labeled time zone.Next, select the appropriate time zone.To save, select the blue Update Profile button.Changing Your Profile AvatarYour avatar adds a face to your account and personalizes it. You can use any photo as long as its appropriate and representative of who you are.However, if you choose not to add a profile photo, a unique avatar will be generated and assigned to your account. To change your profile photo, go to your account settings. Find the Profile avatar section and click the Upload Image button. Choose the photo you want to use and upload it. When you are done, click the Update Profile button to save your changes. Update Your PasswordFrom the Profile &amp; Account section, fill in the following fields to change your password: Current password New password Confirm new passwordUpdate Your Security SettingsFrom your Personal Settings, you can also enable two-factor authentication to make your login credentials more secure. Enabling two-factor authentication is optional, but highly recommended.To enable two-factor authentication, select the Security tab and then click the Enable two-factor authentication button. You’ll need to follow the prompts on the subsequent screen to set up two-factor authentication.Learn how to set up two-factor authentication.Update Your Notification SettingsYou can update your notification settings to receive alerts when a submission changes to a status that is of interest to you. This is one of the many components related to managing submission notifications.Learn more about notifications." } , { "title" : "Update Personal Settings > Viewing the Security Event Log", "category" : "customer", "tags" : "", "url" : "/customers/role-and-account-management/viewing-the-security-event-log/", "date" : "", "content" : "The Security Event Log shows important information about when you’ve used your Bugcrowd account and logs each event. Generally, the log will track new sessions, re-authenticated sessions, revoked sessions, and updates to your user account, such as a change to your username or password. For each event, you’ll see the date and type of activity that occurred.The Security Event Log is helpful if you want to track unusual activity on your account, such as new sessions or modifications to your credentials. If you don’t recognize an event, send an email to support team immediately. Remember, you can also revoke a session if you think that it is suspicious.To view the Security Event Log: Go to your security settings. Click the Events tab. " } , { "title" : "Setting Up Single Sign-On > Centrify", "category" : "customer", "tags" : "", "url" : "/customers/single-sign-on/centrify/", "date" : "", "content" : "{% include alert.html style="warning" text="**Specific Role Required to Configure SSO**: To configure SSO for your program, you must be an [**Organization Owner**](/customers/role-and-account-management/understanding-roles-and-permissions). Organization Owners can log in using Username and Password." %}## Adding Bugcrowd to Your Centrify Admin Portal1. Log in to your Centrify Admin Portal.2. Click **Apps**, and then click **Add Web Apps**. ![add-web-apps](/assets/images/customer/single-sign-on/centrify/add-web-apps.png) The **Add Web Apps** page is displayed.3. Click **Custom**. ![custom](/assets/images/customer/single-sign-on/centrify/custom.png)4. Click **Add** next to the SAML application.5. When the **Add Web App** page appears, click **Yes** to add the application.6. Close the Application Catalog. The **Settings** page for the application that you have added is displayed. To specify the information for this screen, you must log in to your Bugcrowd account.## Accessing SAML Information in Bugcrowd1. In Crowdcontrol, click your profile. ![click-profile](/assets/images/customer/single-sign-on/shared/click-profile.png)2. Click **Authentication**. ![authentication](/assets/images/customer/single-sign-on/shared/authentication.png)3. Click **Single Sign-on (SSO)**. ![single-sign-on](/assets/images/customer/single-sign-on/shared/single-sign-on.png) The **SSO Configuration for Demo Organization** is displayed.4. Copy the **Single sign on URL** and then go back to your Centrify account. ![copy-sso-url](/assets/images/customer/single-sign-on/centrify/copy-sso-url.jpg) {% include alert-numbered.html style="primary" text="**Single Logout**: Bugcrowd only supports logouts Identity Provider (IdP) initiated logouts, that is logging out of Bugcrowd will not log you out of your SSO provider." %}## Adding SAML Information in Centrify1. Go back to **Centrify** > **Configure SAML** page ([last step in the first section](/customers/single-sign-on/centrify#adding-bugcrowd-to-your-centrify-admin-portal)).2. In **Assertion Consumer Service URL**, paste the Single Sign on URL you copied from your Bugcrowd account.3. Navigate to **Advanced Settings** page.4. Specify the following: * **setAudience**: Past the Single Sign on URL you copied from your Bugcrowd account including the quotes. * **Name ID Format**: Select **EmailAddress**. * **Application Username**: Select **Email**.5. Save your changes.## Mapping Centrify to Crowdcontrol1. Keep the Centrify SAML Application Settings screen open and open a new window or tab.2. In the new window, navigate back to the **Single Sign-On** screen in Crowdcontrol and scroll to the **SAML Settings** section.3. Specify the following: * **IdP Entity ID**: Copy and paste the **Centrify Issuer** information from the Centrify window. * **IdP SSO Target URL**: Copy and paste the **Centrify Identity Provider Sign-in URL** information from the Centrify window.4. In the Centrify window, click **Download** in the **Security Certificate** section. Open the downloaded certificate in a text editor and copy the entire contents of the file.5. In the Crowdcontrol window, paste the certificate information in the **IdP Certificate** field. {% include alert-numbered.html style="primary" text="Domain verification is required for SSO to function properly." %}## Verifying DomainAll domains must be verified by Bugcrowd. You will not be able to login until the email address domains are verified.1. In Crowdcontrol, click your profile and then click **Domains**. ![click-domains](/assets/images/customer/single-sign-on/shared/domains.png) The **Domain Verification** page is displayed.2. Specify the domain and then click **ADD DOMAIN**. ![add-domain](/assets/images/customer/single-sign-on/shared/add-domain.png) A verification code is displayed.3. Add a TXT record at the domain's root with this code. ![unverified](/assets/images/customer/single-sign-on/shared/unverified-domain.png) {% include alert-numbered.html style="primary" text="DNS verification may take up to 24 hours to succeed." %} For information about adding a TXT record, consult your DNS provider. For any additional help verifying domains, send an email to ." } , { "title" : "Setting Up Single Sign-On > Google", "category" : "customer", "tags" : "", "url" : "/customers/single-sign-on/google/", "date" : "", "content" : "{% include alert.html style="warning" text="**Specific Role Required to Configure SSO**: To configure SSO for your program, you must be an [**Organization Owner**](/customers/role-and-account-management/understanding-roles-and-permissions). Organization Owners can log in using Username and Password." %}## Adding Bugcrowd to Your Google SSO Portal1. Log in to your Google SSO Portal account.2. Go to the **Admin Console** page and click the three bar drop down menu on the upper left corner. ![admin-console](/assets/images/customer/single-sign-on/google/admin-console.png)3. Click **Apps**. ![apps](/assets/images/customer/single-sign-on/google/apps.png)4. Click **SAML apps**. ![saml-apps](/assets/images/customer/single-sign-on/google/saml-apps.png) The **SAML Apps** page is displayed.5. Click on the blue plus icon in the bottom right corner as shown. ![apps-page](/assets/images/customer/single-sign-on/google/apps-page.png) The **Enable SSO for SAML Application** pop-up window is displayed.6. Click **SETUP MY OWN CUSTOM APP** at the bottom of the window. ![custom-app](/assets/images/customer/single-sign-on/google/custom-app.png)7. Make a note of the **SSO URL** and **Entity ID**. Download the **Certificate**. ![SSO URL entity](/assets/images/customer/single-sign-on/google/sso-url-entity.png)## Adding SAML Information into Bugcrowd1. In Crowdcontrol, click your profile. ![profile-click](/assets/images/customer/single-sign-on/shared/click-profile.png)2. Click **Authentication**. ![authentication](/assets/images/customer/single-sign-on/shared/authentication.png)3. Click **Single Sign-on (SSO)**. ![SSO](/assets/images/customer/single-sign-on/shared/single-sign-on.png)4. Specify the following SAML information from Google into the Crowdcontrol SAML settings: * **IdP Entity ID**: Copy and pase the SP Entity ID. * **IdP SSO Target URL**: Copy and paste the SSO URL. * **IdP Certificate**: Copy and paste the certificate contents. ![saml-info](/assets/images/customer/single-sign-on/google/saml-info.png) {% include alert-numbered.html style="warning" text="When copying and pasting the Certificate contents, make sure that all the information is properly copied including the lines -----BEGIN CERTIFICATE----- and "-----END CERTIFICATE-----." %} Next step is to transfer the Crowdcontrol SSO configuration information into Google. To do this, make a note of the **SP Entity ID** and the **Single Sign On URL**. ![sp-entity-sso-url](/assets/images/customer/single-sign-on/google/sp-entity-sso-url.png) {% include alert-numbered.html style="primary" text="Bugcrowd only supports logouts Identity Provider (IdP) initiated logouts, that is logging out of Bugcrowd will not log you out of your SSO provider." %}## Adding SAML Information into Google1. Go back to SAML Google set up window ([last step in the first section](/customers/single-sign-on/google#adding-bugcrowd-to-your-google-sso-portal)).2. Click **NEXT** to continue the process. ![google-idp-info](/assets/images/customer/single-sign-on/google/google-idp-info.png) The **Basic Information for your Custom App** page is displayed.3. In **Application Name**, specify **Bugcrowd** and click **NEXT**. ![custom-app-basic](/assets/images/customer/single-sign-on/google/custom-app-basic.png) The **Service Provider Details** page is displayed.4. Provide the Crowdcontrol SSO configuration information that you had made a note: * **ACS URL**: Paste the Single Sign On URL. * **Entity ID**: Paste the Entity ID. Click **NEXT**. ![acs-url-entity-id](/assets/images/customer/single-sign-on/google/acs-url-entity-id.png)5. Set the Bugcrowd SAML app to **On for everyone** on the right side of the **SAML Apps** page. ![on-for-everyone](/assets/images/customer/single-sign-on/google/on-for-everyone.png) {% include alert-numbered.html style="warning" text="Domain verification is required for SSO to function properly." %}## Verifying DomainAll domains must be verified by Bugcrowd. You will not be able to login until the email address domains are verified.1. In Crowdcontrol, click your profile and then click **Domains**. ![domains](/assets/images/customer/single-sign-on/shared/domains.png) The **Domain Verification** page is displayed.2. Specify the domain and click **ADD DOMAIN**. ![add-domain](/assets/images/customer/single-sign-on/shared/add-domain.png) A verification code is displayed.3. Add a TXT record at the domain's root with this code. ![unverified-domain](/assets/images/customer/single-sign-on/shared/unverified-domain.png) {% include alert-numbered.html style="primary" text="DNS verification may take up to 24 hours to succeed." %} For information about adding a TXT record, consult your DNS provider. For any additional help verifying domains, send an email to ." } , { "title" : "Setting Up Single Sign-On > Okta", "category" : "customer", "tags" : "", "url" : "/customers/single-sign-on/okta/", "date" : "", "content" : "{% include alert.html style="warning" text="**Specific Role Required to Configure SSO**: To configure SSO for your program, you must be an [**Organization Owner**](/customers/role-and-account-management/understanding-roles-and-permissions). Organization Owners can log in using Username and Password." %}## Adding Bugcrowd to Your Okta Apps Portal1. Log in to your Okta account and click **Admin**. ![admin](/assets/images/customer/single-sign-on/okta/admin.png)2. Hover over the **Applications** tab and click **Applications**. ![applications](/assets/images/customer/single-sign-on/okta/applications.png)3. Click **Add Application.** ![add-application](/assets/images/customer/single-sign-on/okta/add-application.png)4. Click **Create New App**. ![create-new-app](/assets/images/customer/single-sign-on/okta/create-new-app.png)5. In **Sign on method**, select **SAML 2.0** and click **Create**. ![select-saml](/assets/images/customer/single-sign-on/okta/select-saml.png) The **General Settings** page is displayed.6. Specify the following: * **App name**: Specify **Bugcrowd Inc** as the app name. * **App logo**: Click **Browse**, specify the Bugcrowd logo image, and click **Upload Logo**. ![name-logo](/assets/images/customer/single-sign-on/okta/name-logo.png)7. Click **Next**. ![click-next](/assets/images/customer/single-sign-on/okta/click-next.png) The **SAML Settings** page is displayed. To specify the information for this screen, you must access your Bugcrowd account. ![create-saml-integration](/assets/images/customer/single-sign-on/okta/create-saml-integration.png)## Accessing SAML Information in Bugcrowd1. In Crowdcontrol, click your profile. ![profile-click](/assets/images/customer/single-sign-on/shared/click-profile.png)2. Click **Authentication**. ![click-authentication](/assets/images/customer/single-sign-on/shared/authentication.png)3. Click **Single Sign-on (SSO)**. ![single-sign-on](/assets/images/customer/single-sign-on/shared/single-sign-on.png) The **SSO Configuration for Demo Organization** is displayed.4. Make a note of the **Single sign on URL** and **SP Entity ID**. ![url-id](/assets/images/customer/single-sign-on/okta/url-id.jpg) {% include alert-numbered.html style="warning" text="**Single Logout**: Bugcrowd only supports logouts Identity Provider (IdP) initiated logouts, that is logging out of Bugcrowd will not log you out of your SSO provider." %}5. Pause the screen and go to the next step.## Adding SAML Information in Okta1. Go back to Okta > **Configure SAML** page ([last step in the first section](/customers/single-sign-on/okta#adding-bugcrowd-to-your-okta-apps-portal)).2. Specify the following information: * **Single sign on URL**: Paste the Single Sign on URL you copied from your Bugcrowd account. * **Audience URI (SP Entity ID)**: Paste the Single Sign on URL you copied from your Bugcrowd account. * **Name ID format**: Select **EmailAddress**. * **Application Username**: Select **Email**. ![configure-saml](/assets/images/customer/single-sign-on/okta/configure-saml.png)3. In **ATTRIBUTE STATEMENTS** section, specify the following: * **Name**: Select **Role** * **Value**: Select **user.Role** Click **Next** at the bottom of the page. ![attributes](/assets/images/customer/single-sign-on/okta/attributes.png) The **Feedback** page is displayed.4. Select **I'm an Okta customer adding an internal app** and **This is an internal app that we have created** and click **Finish**. ![finish](/assets/images/customer/single-sign-on/okta/finish.png)## Mapping Okta to Crowdcontrol1. Click **View Setup Instructions**. ![view-setup-instructions](/assets/images/customer/single-sign-on/okta/view-setup-instructions.png) The **How to Configure SAML 2.0 for Bugcrowd Inc. Application** screen is displayed.2. Make a note of the information from the following fields: * **Identity Provider Single Sign-On URL** * **Identity Provider Issuer** * **X.509 Certificate** ![saml-20-for-app](/assets/images/customer/single-sign-on/okta/saml-20-for-app.png)3. Navigate back to the **Single Sign-On** screen in Crowdcontrol and scroll to the **SAML Settings** section.4. Paste the information you copied in the following fields: * **IdP Entity ID**: Paste the **Identity Provider Issuer** information from Okta. * **IdP SSO Target URL** and **IdP SLO Target URL**: Paste the **Identity Provider Single Sign-On URL** information from Okta. * **IdP Certificate**: Paste the **X.509 Certificate** information from Okta. ![saml-settings](/assets/images/customer/single-sign-on/okta/saml-settings.png) Click **SAVE AUTHENTICATION SETTINGS** to save the information. {% include alert-numbered.html style="warning" text="Domain verification is required for SSO to function properly." %}## Verifying DomainAll domains must be verified by Bugcrowd. You will not be able to login until the email address domains are verified.1. In Crowdcontrol, click your profile and then click **Domains**. ![click-domains](/assets/images/customer/single-sign-on/shared/domains.png) The **Domain verification** page is displayed.2. Specify the domain and click **ADD DOMAIN**. ![add-domain](/assets/images/customer/single-sign-on/shared/add-domain.png) A verification code is displayed.3. Add a TXT record at the domain's root with this code. ![unverified](/assets/images/customer/single-sign-on/shared/unverified-domain.png) {% include alert-numbered.html style="warning" text="DDNS verification may take up to 24 hours to succeed." %} For information about adding a TXT record, consult your DNS provider. For any additional help verifying domains, send an email to ." } , { "title" : "Setting Up Single Sign-On > OneLogin", "category" : "customer", "tags" : "", "url" : "/customers/single-sign-on/onelogin/", "date" : "", "content" : "If you do not have OneLogin set up, see [getting started guide](https://www.onelogin.com/getting-started/free-trial-plan/add-apps-manual).{% include alert.html style="warning" text="**Specific Role Required to Configure SSO**: To configure SSO for your program, you must be an [**Organization Owner**](/customers/role-and-account-management/understanding-roles-and-permissions). Organization Owners can log in using Username and Password." %}## Adding Bugcrowd to Your OneLogin Apps Portal1. Log in to your [OneLogin account](https://app.onelogin.com/login).2. Select **Apps > Add Apps**. ![add-apps](/assets/images/customer/single-sign-on/onelogin/add-apps.png)3. Search for **Bugcrowd**. ![search Bugcrowd](/assets/images/customer/single-sign-on/onelogin/search-bugcrowd.png)4. Select the **Bugcrowd** app. ![select Bugcrowd app](/assets/images/customer/single-sign-on/onelogin/select-bugcrowd-app.png) The **Configuration** page is displayed.5. Modify any of the configuration settings that control how the Bugcrowd app appears in your portal and the connector version you want to use. Select **SAML 2.0** as your connector. ![configuration](/assets/images/customer/single-sign-on/onelogin/configuration.png)6. Save the settings. A new set of tabs appear that allow you to configure rules, parameters, SSO, access policies, and users for the Bugcrowd app.7. Select the **SSO** tab. ![cerificate-signature](/assets/images/customer/single-sign-on/onelogin/cerificate-signature.png)8. Select **X.509 Certificate** (View Details) for additional information. * **Use SHA1** * **X.509 Certificate** ![x509-certificate](/assets/images/customer/single-sign-on/onelogin/x509-certificate.png) This page displays all the information that is required for adding to Crowdcontrol later. Make a note of the following information: * X.509 certificate and its fingerprint * Issuer URL * SAML 2.0 endpoint * SLO endpoint## Adding Your Identity Provider's SSO Settings to Crowdcontrol1. In Crowdcontrol, click your profile. ![click-profile](/assets/images/customer/single-sign-on/shared/click-profile.png)2. Click **Authentication**. ![authentication](/assets/images/customer/single-sign-on/shared/authentication.png)3. Click **Single Sign-on (SSO)**. ![SSO](/assets/images/customer/single-sign-on/shared/single-sign-on.png) The **SAML Settings** page is displayed.4. Specify in the information you saved from OneLogin in the earlier section. ![saml-settings](/assets/images/customer/single-sign-on/onelogin/saml-settings.png) {% include alert-numbered.html style="primary" text="**Single Logout**: Bugcrowd only supports logouts Identity Provider (IdP) initiated logouts, that is logging out of Bugcrowd will not log you out of your SSO provider." %} The following table provides the Crowdcontrol fields mapped to OneLogin fields. | Crowdcontrol Field | OneLogin Field | |:-------------------|:-------------- | IdP Certificate | X.509 Certificate | | IdP Certificate Fingerprint | Fingerprint | | IdP Entity ID | Unresolved | | IdP SSO Target URL | SAML 2.0 endpoint | | IdP SLP Target URL | SLO endpoint When you add the X.509 certificate, you must copy and paste the entire contents of the certificate, including the BEGIN and END headers as shown. ```txt -----BEGIN CERTIFICATE-----nTTDMTSCCAkWgAwIBAgIJAJC1HiIAZAiIMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVnm3LtH40luvg0sd0ng4evAT0mMYh4rdYDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXnaWRnaXRzIFB0eSBMdGQwHhcNMTExMjMxMDg1OTQ0WhcNMTIxMjMwMDg1OTQ0WjBF nt4c0fN746vaInA1KxYEeI1Rx5KXY8zIdj6a7hhphpj2E04LDdw7r495dv3UgEgpRnC3Fayua4DRHyZOLmlvQ6tIChY0ClXXuefbmVSDeUHwc8YufRAERp2GfQnL2JlPULnB7xxt8BVc69rLeHV15A0qyx77CLSj3tCx2IUXVqRs5mlSbq094NBxsauYcm0A6JqnvA== -----END CERTIFICATE----- ```5. Save the settings. Crowdcontrol displays the SSO configuration for your program.6. Copy the **OneLogin SAML Code**. ![sample-code](/assets/images/customer/single-sign-on/onelogin/sample-code.png)7. Go back to your OneLogin account and navigate to the Bugcrowd **Configuration** tab. Paste the **OneLogin SAML Code**. ![configuration-page](/assets/images/customer/single-sign-on/onelogin/configuration-page.png)## Verifying DomainAll domains must be verified by Bugcrowd. You will not be able to login until the email address domains are verified.1. In Crowdcontrol, click your profile and then click **Domains**. ![domains](/assets/images/customer/single-sign-on/shared/domains.png) The **Domain Verification** page is displayed.2. Specify the domain and then click **ADD DOMAIN**. ![add-domain](/assets/images/customer/single-sign-on/shared/add-domain.png) A verification code is displayed.3. Add a TXT record at the domain's root with this code. ![unverified](/assets/images/customer/single-sign-on/shared/unverified-domain.png) {% include alert-numbered.html style="primary" text="DNS verification may take up to 24 hours to succeed." %} For information about adding aTXT record, consult your DNS provider. For any additional help verifying domains, send an email to .## Logging in Using SSOAfter you have enabled SSO, your team members can navigate to the Company Apps area of OneLogin and click the Bugcrowd app to log in. If SSO is set up properly, members will be logged in to Crowdcontrol.![example-program](/assets/images/customer/single-sign-on/onelogin/example-program.png)" } , { "title" : "Setting Up Single Sign-On > Ping Identity", "category" : "customer", "tags" : "", "url" : "/customers/single-sign-on/ping-identity/", "date" : "", "content" : "{% include alert.html style="warning" text="**Specific Role Required to Configure SSO**: To configure SSO for your program, you must be an [**Organization Owner**](/customers/role-and-account-management/understanding-roles-and-permissions). Organization Owners can log in using Username and Password." %}## Adding Bugcrowd to Your Ping Identity Account1. Log in to your Ping Identity account.2. Click **Applications**. ![applications](/assets/images/customer/single-sign-on/ping-identity/applications.png)3. Click **Add Application** > **New SAML Application**. ![new-saml-application](/assets/images/customer/single-sign-on/ping-identity/new-saml-application.png)4. Specify the following: * **Application Name**: Bugcrowd * **Application Description**: Crowdsourced Cybersecurity * **Category**: Engineering5. Pause at this screen and continue to next Step.## Accessing SAML Information in Bugcrowd1. In Crowdcontrol, click your profile. ![profile-pic](/assets/images/customer/single-sign-on/shared/click-profile.png)2. Click **Authentication**. ![authentication](/assets/images/customer/single-sign-on/shared/authentication.png)3. Click **Single Sign-on (SSO)**. ![click-sso](/assets/images/customer/single-sign-on/shared/single-sign-on.png) The **SSO Configuration for Bugcrowd Operations** page is displayed.4. Make a note of the **Single sign on URL** and **SP Entity ID**. ![sso-url-sp-entity-id](/assets/images/customer/single-sign-on/ping-identity/sso-url-sp-entity-id.png) {% include alert-numbered.html style="warning" text="**Single Logout**: Bugcrowd only supports logouts Identity Provider (IdP) initiated logouts, that is logging out of Bugcrowd will not log you out of your SSO provider." %}## Adding SAML Information in Ping Identity1. Go back to Ping Identity ([last step in the first section](/customers/single-sign-on/ping-identity#adding-bugcrowd-to-your-ping-identity-account)).2. Specify the following: * **Assertion Consumer Service (ACS)**: Paste the **Single sign on URL** you copied from your Bugcrowd account. * **Entity ID**: Paste the **SP Entity ID** you copied from your Bugcrowd account. ![settings](/assets/images/customer/single-sign-on/ping-identity/settings.png)3. Save and publish.## Mapping Ping Identity to Crowdcontrol1. Click **View Setup Instructions**.2. Download the **Certificate** and **SAML Metadata** file and open these files using a text editor. ![mapping](/assets/images/customer/single-sign-on/ping-identity/mapping.png)3. From the SAML metadata `xml` file, copy the **entityID** and paste it into the **IdP Entity ID** field in Crowdcontrol. ![saml-metadata](/assets/images/customer/single-sign-on/ping-identity/saml-metadata.png)4. Copy the **Initiate Single Sign-On (SSO) URL** from Ping Identity into the **IdP SSO Target URL** field in Bugcrowd. ![initiate-sso-url](/assets/images/customer/single-sign-on/ping-identity/initiate-sso-url.png)5. Copy the contents from the **Certificate** file and paste it into the **IdP Certificate** field in Bugcrowd. ![idp-certificate](/assets/images/customer/single-sign-on/ping-identity/idp-certificate.png) After completing, the settings must be similar to the following screenshot. ![saml-settings](/assets/images/customer/single-sign-on/ping-identity/saml-settings.png)6. Click **Save Authentication Settings**. {% include alert-numbered.html style="warning" text="Domain Verification is required for SSO to function properly." %}## Verifying DomainAll domains must be verified by Bugcrowd. You will not be able to login until the email address domains are verified.1. In Crowdcontrol, click your profile and then click **Domains**. ![domains](/assets/images/customer/single-sign-on/shared/domains.png) The **Domain Verification** page is displayed.2. Specify the domain and click **ADD DOMAIN**. ![add-domain](/assets/images/customer/single-sign-on/shared/add-domain.png) A verification code is displayed.3. Add a TXT record at the domain's root with this code. ![unverified-domain](/assets/images/customer/single-sign-on/shared/unverified-domain.png) For information about adding a TXT record, consult your DNS provider. For any additional help verifying domains, send an email to . {% include alert-numbered.html style="primary" text="DNS verification may take up to 24 hours to succeed." %}## Logging in Using SSOAfter you have enabled SSO, your team members can navigate to the Company Apps in Ping Identity and click the Bugcrowd app to log in. If SSO is set up properly, members will be logged into Crowdcontrol.![example](/assets/images/customer/single-sign-on/ping-identity/example.png)" } , { "title" : "Setting Up Single Sign-On", "category" : "customer", "tags" : "onboarding", "url" : "/customers/single-sign-on/sso-overview/", "date" : "", "content" : "Bugcrowd offers a Security Assertion Markup Language (SAML) based Single Sign-On (SSO) integration with Okta, Centrify, OneLogin, Ping Identity, and Google to help you create an easy and centralized way to log in to Crowdcontrol. SAML is an XML-based standard for SSO authentication that creates a simplified way to access the applications that you can use. {% include alert.html style="warning" text="**Specific Role Required to Configure SSO**: To configure SSO for your program, you must be an [**Organization Owner**](/customers/role-and-account-management/understanding-roles-and-permissions). Organization Owners can log in using Username and Password." %}" } , { "title" : "Adding Remediation Advice", "category" : "customer", "tags" : "submission-management", "url" : "/customers/submission-management/adding-remediation-advice/", "date" : "", "content" : "## Enabling Remediation AdviceYou can enable remediation advice for all submissions in your program. Once enabled, you'll be able to quickly learn how to address a vulnerability directly from the submission.![vulnerability](/assets/images/customer/adding-vulnerability-remediation/vulnerability.png)To add remediation advice to your submissions, you'll need to enable it within **Settings > Additional fields**.![remediation-advice](/assets/images/customer/adding-vulnerability-remediation/remediation-advice.png)To enable, toggle remediation advice to the right as shown in the image below.![enable-ra](/assets/images/customer/adding-vulnerability-remediation/enable-ra.png)Once activated, you'll see two new fields on the **Additional fields** page:* **Remediation Advice** - Provides guidance for fixing a vulnerability.* **References** - Provides links to industry standard sites, like OWASP, CVE, and CWE, to provide you with more detailed description and context for the vulnerability.The remediation advice and references will automatically populate on your submissions based on the VRT rating assigned to the submission. For more information on our VRT, see .## Editing the Remediation AdviceThe **Remediation Advice** and **References** fields can be edited on a per-submission basis. To help better enable development, you may want to add additional information or edit the advice to best fit your business case.To edit the **Remediation Advice** or **References** field, click the *Edit* icon within the section.![edit-ra](/assets/images/customer/adding-vulnerability-remediation/edit-ra.png)The section will display as editable markdown. You can change the information however you'd like. The information for the field you've modified will not be overwritten by any updates to the VRT. Customized remediation advice and references will always take precedence over the information from the VRT." } , { "title" : "Assigning Submissions > Auto-Assign Submissions", "category" : "customer", "tags" : "", "url" : "/customers/submission-management/assigning/auto-assign/", "date" : "", "content" : "Auto-assign triaged submissions to a default team member to notify them of any actionable submission as soon as it has been validated by our Technical Operations team. To do this, follow the steps below:{% include alert.html style="danger" text="**Role-Based Access Restrictions**: Setting a default team member for the auto-assign submission feature is restricted to Organizations Owners and Program Admins." %}## 1. Navigate to Settings PageSelect **Settings** on the Crowdcontrol Navbar as seen below.![settings](/assets/images/customer/auto-assign-submissions/settings.png)## 2. Select the Manage Team TabAt the top of the **Settings** page, select the **Manage Team** tab as seen below.![manage-tab](/assets/images/customer/auto-assign-submissions/manage-tab.png)## 3. Select Default Team MemberOn the right-hand side, use the drop-down field to select a team member to act as the primary user to be auto-assigned to all submissions moved to the 'Triage' status.![select-team-member](/assets/images/customer/auto-assign-submissions/select-team-member.png)## 4. Auto-SaveOnce you have selected the team member, the settings will auto-save. A green pop-up notification will verify at the bottom of the screen.![auto-save](/assets/images/customer/auto-assign-submissions/auto-save.png)" } , { "title" : "Assigning Submissions", "category" : "customer", "tags" : "submission-management", "url" : "/customers/submission-management/assigning/overview/", "date" : "", "content" : "When you assign a submission to yourself or someone assigns you to a submission, it automatically subscribes you to the submission's activity stream. You will be notified about all the submission changes.{% include alert.html style="warning" text="**Assignment Limitation**: You can only assign one person to a submission (primary owner). If you are not the submission owner, you can [subscribe](/customers/submission-management/subscribing) to the submission for receiving the updates." %}## Assigning Submission to YourselfTo assign a submission to yourself, on the **Submission Details** page, click **Assign me**.![assign-me](/assets/images/customer/assigning-submissions/assign-me.png)The submission is assigned to you and your name is displayed as shown.![assigned-me](/assets/images/customer/assigning-submissions/assigned-me.png)## Assigning Submission to Another PersonTo assign a submission to another person, on the **Submission Details** page, click **Someone else**.![someone-else](/assets/images/customer/assigning-submissions/someone-else.png)A drop-down menu displays all the members of your organization. In the **Search** box, search for the name of the person to whom you want to assign the submission or select a name from the list.![assign-someone](/assets/images/customer/assigning-submissions/assign-someone.png)After you select a name, the submission is assigned to that person.![assigned-someone](/assets/images/customer/assigning-submissions/assigned-someone.png)## Reassigning a SubmissionTo reassign a submission, click on the name of the person who is currently assigned to the submission.![reassign](/assets/images/customer/assigning-submissions/reassign.png)A drop-down menu displays a list of your team members. Search for the person to whom you want to reassign the submission.![reassign-someone](/assets/images/customer/assigning-submissions/reassign-someone.png)The **Assignee updated** message is displayed. Also, the name of the person assigned to the submission is displayed.## Clearing AssigneeTo clear the assignee for a submission, click on the name of the person currently assigned to the submission. A drop-down menu displays a list of your team members.Click **Clear assignee**.![clear-assignee](/assets/images/customer/assigning-submissions/clear-assignee.png)The **Assignee updated** message is displayed and the name of the person who was assigned to the submission is cleared.![assignee-updated](/assets/images/customer/assigning-submissions/assignee-updated.png)" } , { "title" : "Blockers", "category" : "customer", "tags" : "submission-management", "url" : "/customers/submission-management/blockers/", "date" : "", "content" : "Generally, these requests help us to:* Clarify details in a submission* Obtain updated credentials for a target* Access a target* Update payment information## Add a Blocker1. When adding a private comment or replying directly to a user, you can select the **Create a Blocker** option. ![create-blocker](/assets/images/customer/blockers/create-blocker.png)2. To set a blocker for Bugcrowd Operations or Researchers, select any of the following options from the drop-down: * **Bugcrowd Operations**: The blocker is created for the Bugcrowd operations. The Bugcrowd operations must respond to resolve the blocker. * **Researcher**: The blocker is created on the Researcher(s). The Researcher(s) must respond to resolve the blocker. ![setting-blocker](/assets/images/customer/blockers/setting-blocker.png)3. Select one of the reasons for creating the blocker: * Provide information on reproduction * Provide information on impact * Respond to comments ![blocker-reason](/assets/images/customer/blockers/blocker-reason.png)4. Click **Save private comment** or **Send message** based on your initial selection. The comment along with the blocker will be added to the submission. {% include alert-numbered.html style="warning" text="A submission can only have a single blocker pending at a time. You can add another blocker only after the existing blocker is resolved." %}## View Blocker ActivitiesEach time Bugcrowd creates a blocker it is logged in the submission's activity feed. Everyone who has access to the submission has full visibility into the blocker's current state and progress. For example, you can see when a blocker has been created or completed.![blocker-activities](/assets/images/customer/blockers/blocker-activities.png)## View Blocker AlertsTo help you identify submissions that are blocked, an alert icon will appear in the [submissions inbox](/customers/getting-started/the-submissions-page). The alert notifies you that the submission has been marked by a Bugcrowd ASE as blocked and needs something from either you or a researcher.![blocker-alerts](/assets/images/customer/blockers/blocker-alerts.png)On the submission, the blocker is displayed at the top as a page alert. The page alert includes a brief description and identifies who has to respond for unblocking the submission. For example, *"Waiting on **'org name'** to provide information"* indicates that the ASE is waiting for a response.![alert-message](/assets/images/customer/blockers/alert-message.png){% include alert.html style="primary" text="**Note:** Blocker alerts are visible to all the researchers on the submission." %}Bugcrowd ASEs will provide further context of the blocker in a Team Note in the activity feed.![private-note](/assets/images/customer/blockers/private-note.png)## Search for BlockersGenerally, submissions that transition between the **New** and **Triage** states may require more information as they are being reviewed. Therefore, blockers will appear more often on submissions in these two states.To find blockers, you can filter your submissions using the `blocked-by` token. You can then filter by submissions blocked by anyone, customers, researchers, or Bugcrowd operations. You can also search for unblocked submissions.For more information on Submissions, see [filtering submissions](/customers/submission-management/filtering).![blocker-filter](/assets/images/customer/blockers/blocker-filter.png)## Resolve BlockersOnce you resolve the blocker, add a comment on the submission and select the **Notify Bugcrowd Operations that the blocker is resolved** option.You can use the [commenting method](/customers/submission-management/commenting) that delivers the information to the intended audience. If you want the information to only be accessible to Bugcrowd, add a team note. Researchers will only see that you resolved the blocker. Otherwise, you can add a regular comment if you want everyone to see your response. ![resolve-blocker](/assets/images/customer/blockers/resolve-blocker.png)After you resolve the blocker, it will be updated on the activity feed and a green checkmark icon will indicate the blocker has been resolved.![green-checkmark](/assets/images/customer/blockers/green-checkmark.png)" } , { "title" : "Commenting", "category" : "customer", "tags" : "submission-management", "url" : "/customers/submission-management/commenting/", "date" : "", "content" : "When adding comments, you can style your text using the Markdown syntax. For more information, see [using markdown for formatting content](/customers/submission-management/using-markdown-for-formatting-content).## Adding a Private Comment{% include alert.html style="primary" text="Private comments are only viewable by customers and ASEs, not researchers." %}When you click **Add a private comment**, the following screen is displayed.![private-comment](/assets/images/customer/submission-comments/private-comment.png)Click **Save private comment** to send the message to Bugcrowd and your team on Crowdcontrol.## Replying Directly to ResearcherWhen you click **Reply to (user name)**, the following screen is displayed.![direct-to-user](/assets/images/customer/submission-comments/direct-to-user.png)Click **Send message**. The message is sent to the researcher and it is visible to all in the submission activity stream. The researcher will receive an email notification that you have commented on their submission for additional information from them. Even if the submission is not yet claimed, the email notification is sent to the researcher.{% include alert.html style="primary" text="The **Reply to (researcher)** option is unavailable for submissions made anonymously (through the embedded form without providing an email address) or has no associated researcher (example, through Qualys)." %}## Adding Blocker When Replying to CommentYou can add a blocker for a submission. For information about blockers, see [blockers](/customers/submission-management/blockers).## Viewing Submission ActivitiesEach submission has an activity stream that maintains a history log of all actions, comments, and changes that have been made to a submission and a record of the person who made the changes.![activities](/assets/images/customer/submission-comments/activities.png){% include alert.html style="primary" text="When you comment on a submission, you automatically subscribe to receive updates for that submission. Learn more about [submissions](/customers/submission-management/subscribing) and how to unsubscribe from them." %}When adding a comment, you can notify a team member directly by mentioning their name using the “@” key. This is useful when you need to alert someone who is not currently [assigned](/customers/submission-management/assigning/overview) or [subscribed](/customers/submission-management/subscribing) to a submission.{% include alert.html style="primary" text="Mention the Application Security Engineer on-staff for your submission by mentioning @Bugcrowd." %}## Uploading an Attachment with Your CommentWhen replying to a researcher or sending a private message, you can click **Add attachments** and attach a video, image, or PDF. This helps you share sensitive information without uploading it to third party.![add-attachment](/assets/images/customer/submission-comments/add-attachment.png)Browse to the location of the file you want to upload. You can attach up to five files at a time.The supported file types are `avi`, `gif`, `jpg`, `mov`, `mpeg`, and `pdf`.{% include alert.html style="primary" text="The size of each uploaded file cannot exceed 100 MB." %}The attached files are displayed as shown. To delete an attachment,. click X icon.![attachments-uploaded](/assets/images/customer/submission-comments/attachments-uploaded.png)## Editing a Comment{% include alert.html style="primary" text="**Editing prior to notifications**: If you are able to edit the comment within two minutes the notifications to other users around the comment will use the updated text. Note integrations will trigger right away and will not receive the updated text." %}You can edit comments and/or private notes.To edit a comment, click the **...** icon on the right side of the comment and click **Edit**.![edit-comment](/assets/images/customer/submission-comments/edit-comment.png)Make the required changes and click **Save Comment**.![save-comment](/assets/images/customer/submission-comments/save-comment.png)The **Comment Updated** message is displayed.## Deleting a CommentYou can delete comments and/or private notes.To edit a comment, click the **...** icon on the right side of the comment and click **Delete**.![delete](/assets/images/customer/submission-comments/delete.png)A pop-up message asking for confirmation is displayed. Click **OK**.The comment is deleted and **[DELETED]** is displayed in the activity feed.![deleted-message](/assets/images/customer/submission-comments/deleted-message.png)" } , { "title" : "Coordinated Disclosure Request", "category" : "customer", "tags" : "submission-management", "url" : "/customers/submission-management/coordinated-disclosure-request/", "date" : "", "content" : "A researcher can request to disclose the submission report if the **Coordinated disclosure** option is enabled in CrowdStream setting. It is enabled by default. In case it is disabled, then for information to enable coordinated disclosure, see [enabling disclosure of submissions](/customers/submission-management/disclosure-and-crowdstream-settings/#enabling-or-disabling-researchers-to-request-submission-disclosure).{% include alert.html style="primary" text="If a submission was created before disabling coordinated disclosure for a program, then the researcher can request the disclosure report and you can process the request. If a submission was created after disabling coordinated disclosure, then the researcher will not be able to request a disclosure report for that submission." %}## Viewing Disclosure RequestWhen a researcher sends a disclosure request for a submission, you can view the request in the submission's **Disclosure request** section. You can either approve or deny the disclosure request. Make sure you read the [public disclosure policy](/researchers/reporting-managing-submissions/disclosure).![view](/assets/images/customer/disclosure/view.png)## Approving Disclosure RequestIn the **Respond to disclosure request** section, select **Approve disclosure request**. Additional fields are displayed.![approve](/assets/images/customer/disclosure/approve.png)You can add your own summary for this vulnerability and/or change the level that was set by the researcher (if required). You can style your text using the Markdown syntax. For more information, see [using markdown for formatting content](/customers/submission-management/using-markdown-for-formatting-content). Click **Publish disclosure**.![publish](/assets/images/customer/disclosure/publish.png)The disclosure is published and the researcher is notified. The following message is displayed and the submission report summary will be visible to the public in CrowdStream.![request-approved-message](/assets/images/customer/disclosure/request-approved-message.png)You can click **View disclosed report** to view the submission report that is published. The following image shows the disclosed report with full visibility.![full-visibility](/assets/images/customer/disclosure/full-visibility.png)The following image shows a disclosed report with limited visibility.![limited-visibility](/assets/images/customer/disclosure/limited-visibility.png)## Saving SummaryIf you want to save the details and publish at a later time, click **Save summary**.![save-summary](/assets/images/customer/disclosure/save-summary.png)The **Report summary saved** message is displayed and the button name changes to **Summary saved**.![summary-saved-button](/assets/images/customer/disclosure/summary-saved-button.png)## Denying Disclosure RequestIn the **Respond to disclosure request** section, select **Deny disclosure request**.![denying-request](/assets/images/customer/disclosure/denying-request.png)Provide the reason for denying the disclosure request and click **Deny disclosure**. You can style your text using the Markdown syntax. For more information, see [using markdown for formatting content](/customers/submission-management/using-markdown-for-formatting-content). The following message is displayed in the **Disclosure request** section of the submission and the researcher is notified.![request-denied-message](/assets/images/customer/disclosure/request-denied-message.png)## Viewing Cancelled Disclosure RequestIf the researcher cancels the disclosure request, then the following message is displayed in the **Disclosure request** section of the submission.![request-cancelled-message](/assets/images/customer/disclosure/request-cancelled-message.png)" } , { "title" : "Updating Program Brief > Managing Disclosure and CrowdStream", "category" : "customer", "tags" : "", "url" : "/customers/submission-management/disclosure-and-crowdstream-settings/", "date" : "", "content" : "Researchers can choose whether to display their user name and/or rewards received for a submission. For more information, see [setting CrowdStream visibility](/researchers/reporting-managing-submissions/viewing-program-activity-feed-in-crowdstream#setting-crowdstream-visibility-options). Depending on your visibility settings and the visibility settings configured by the researcher, the information is displayed for submissions in CrowdStream.## Enabling CrowdStream Visibility for Program1. Select a program, go to **Settings** > **Program brief** and view the **CrowdStream settings** section displayed on the right. ![program-brief](/assets/images/customer/crowdstream-visibility/program-brief.png)2. In **Submission activity**, the **Enable CrowdStream visibility** option is enabled by default. To disable this option, move the slider left. ![enable-visibility](/assets/images/customer/crowdstream-visibility/enable-visibility.png)3. Click **Update CrowdStream settings**. ![click-update](/assets/images/customer/crowdstream-visibility/click-update.png) The **CrowdStream settings updated** message is displayed.## Enabling or Disabling Researchers to Request Submission Disclosure1. Select a program, go to **Settings** > **Program brief** and view the **CrowdStream settings** section displayed on the right. ![crowdstream-settings](/assets/images/customer/crowdstream-visibility/crowdstream-settings.png)2. In **Disclosure policy**, select one of the following options: * Coordinated disclosure: Allows researcher to send a submission disclosure request for the program. This option is selected by default. * No disclosure: Does not allow researcher to send a submission disclosure request for the program. ![coordinated-disclosure](/assets/images/customer/crowdstream-visibility/coordinated-disclosure.png)3. Click **Update CrowdStream settings**. ![update Crowdcontrol](/assets/images/customer/crowdstream-visibility/update-crowdcontrol.png) The **CrowdStream settings updated** message is displayed. Programs that have CrowdStream enabled will have submission details displayed as shown. ![message](/assets/images/customer/crowdstream-visibility/message.jpg)## Configuring Visibility Settings for Single Submission1. Open a submission and click **...** icon. ![configure-single-submission-visibility](/assets/images/customer/crowdstream-visibility/configure-single-submission-visibility.png)2. Move the slider to the right for **Exclude this submission from CrowdStream** option. ![slider](/assets/images/customer/crowdstream-visibility/slider.png) The **CrowdStream visibility updated** message is displayed and the submission will not be displayed in the CrowdStream activity feed. If you move the slider back to the left, then the submission is included in CrowdStream." } , { "title" : "Filtering Submissions", "category" : "customer", "tags" : "submission-management", "url" : "/customers/submission-management/filtering/", "date" : "", "content" : "{% include alert.html style="primary" text="**Filter Options**: You can use the filter options on both the **Submissions** and **Insights** pages." %}## Filter KeysFilter keys narrow your submissions down to a specific set of results.The following filter keys and possible values are available.| Key | Value | Description ||:----|:------|:------------|| assignee | `me`, `none`, or any email of a User on the program | Matches on a User's email who has permissions on the program. || duplicate | `true` or `false` | Matches based on whether the submission is a duplicate of another submission or not. || payments | `none` or `present` | Matches if there is any payment on a submission. || state | `new`, `triaged`, `wont-fix`, `not-applicable`, `not-reproducible`, `out-of-scope`, `unresolved`, and `resolved` | Matches on submission state. Supports [negative search](#negative-search). || sort | `payment`, `points`, `severity`, `submitted`, or `updated` | Appends `-asc` or `-desc` depending on how you want it to be sorted. || severity | `1-5`, `none`, or `present` | Matches the severity assigned to the submission. Supports [negative search](#negative-search). || source | `api`, `csv`, `email`, `external_form`, `platform`, or `qualys` | Matches the origin of the submission. Supports [negative search](#negative-search). || target | `none` | Matches on the target name. Supports [negative search](#negative-search).|| target-type | `android`, `api`, `hardware`, `ios`, `iot`, `other`, or `website` | Matches the target type. Supports [negative search](#negative-search). || researcher | | Returns submissions based on the researcher's username who submitted them. Supports [negative search](#negative-search). || submitted | `YYYY-MM-DD`, `YYYY-MM-DD` | Returns submissions that were submitted during the specified date range. Click the calendar icon to select the required date range. For information about the calendar icon, see [search submissions for date range](#search-submissions-for-date-range). || points | `none` or `present` | Return submissions that have been awarded points or not. || blocked-by | `none`, `present`, `bugcrowd-operations`, `customer`, `researcher` | Return submissions that are currently blocked and need additional action from a specific user.|| custom-fields | `none` or `present` | Return custom fields that have values entered or not. This filter option is available only if you have defined at least one custom label in **Settings** > **Fields and Settings** > **Data Fields**. For information about defining the custom labels, see additional fields. || disclosure-request | `none`, `approved`, `cancelled`, `denied`, `draft`, `requested` | Return disclosure request fields from different action states || vrt | `application-level-denial-of-service-(dos)`, `application-level-denial-of-service-(dos)/app-crash`, `application-level-denial-of-service-(dos)/critical-impact-and-or-easy-difficulty`, `application-level-denial-of-service-(dos)/high-impact-and-or-medium-difficulty`, `broken-access-contro-(bac)`, `broken-access-contro-(bac)/exposed-sensitive-android-content`, `broken-access-contro-(bac)/exposed-sensitive-android-content`, `broken-access-contro-(bac)/insecure-direct-object-references-(idor)`, `broken-access-contro-(bac)/server-side-request-forgery-(ssrf)`, `broken-access-contro-(bac)/username-enumeration`, `broken-authetication-and-session-management`, `broken-authentication-and-session-management/authentication-bypass` | Matches the VRT category or subcategory. For information about VRT classifications, see . |## Filter SyntaxTo create a query, you need to use the following syntax: `:`. Make sure you include a colon after the filter key and do not include any spaces between the filter key and value.You can enter multiple filter key/value pairs in the query, such as: `state:unresolved severity:1`. By default, the query includes `sort:submitted-desc`, which sorts your submissions in descending order based on the dates they were submitted. You can remove or replace this filter key/value.## Filter LogicThere is an AND operator between unique filter keys; however, multiple instances of the same filter key use the OR operator. For example, `state:unresolved severity:1` returns all P1 submissions that have been triaged but have not been fixed. The query `state:unresolved severity:1 severity:2` returns all P1 and P2 submissions that have been triaged but have not fixed.## Negative SearchCertain filters allow negative search, which allows you to find values that do not meet the specified value. You can think of a negative search like a deny list. To perform a negative search, add a - before the key, like -state:triaged.You can perform a negative search with the following filter keys: state, program, and target.## Building a QueryTo help you build a submissions query, a list of available filter keys will appear when you click in the search field. After you select a filter key, the search field will show you possible values based on what you've selected.![building-query](/assets/images/customer/filtering-submission/building-query.png)Remember, you can use as many key/value combinations you need, and there is an AND operator between unique filter keys and an OR operator between multiple instances of the same filter key. As you add filter key/value pairs to the query, the results automatically refresh to show you the latest results.{% include alert.html style="primary" text="If you input an invalid filter key or query, no submissions will be returned. Please review your queries for any errors if the results do not show the submissions you expect to see." %}## Using Multiple "Sort" QueriesThe tokenized search bar allows for multiple sorting criteria. Sorting parameters will be applied to search results in the order they are declared in tokens. Below an example sorted first by *priority* and second by *old to new*:![sort-queries](/assets/images/customer/filtering-submission/sort-queries.png)## Preset QueriesThere are preset queries available that let you quickly find submissions that are new, need to be reviewed, need to be fixed, or have been fixed. Click on the filter and the query will display in the search field.![preset-queries](/assets/images/customer/filtering-submission/preset-queries.png)The following preset queries are available:| Query | Filters | Description ||:------|:--------|:------------|| Processing | `state:new` | Finds new submissions that need to be reviewed. || Blocked | `blocked-by:customer` | Shows submissions that are blocked by the customer and are waiting for information from Bugcrowd's ASEs or researchers. || To review | `state:triaged` | Returns submissions that have been triaged and need to be accepted or rejected. || To fix | `state:unresolved` | Shows submissions that are valid and need to be resolved. || Fixed | `state:resolved` | Looks for submissions that have been fixed and may need to be retested by the researcher. |## Search Submissions for Date Range{% include alert.html style="primary" text="**Filtering based on submitted date:** While other date filters are available within submission filtering, only filtering by a submission's `submitted` date is available through the **calendar** icon." %}To specify a date range:1. Click the **calendar** icon. The calendar for two consecutive months is displayed at a time. You can use both or one calendar to specify a date range as per your requirement."2. In the first calendar, change the year, select the month, and select a date to indicate the start date (example, July 25, 2019).3. In the second calendar, the consecutive month is displayed. For example, in the first calendar if month and year is July 2019, then in the second calendar the month and year is August 2019. Change the year, select a month, and select a date to indicate the end date (example, September 18, 2019. You can also move the month and year using the back arrow and forward arrow icons. When you select the end date, the calendar closes and the selected date range is displayed in the filter box. The submissions submitted for this date range are displayed. ![calendar](/assets/images/customer/filtering-submission/calendar.gif) Click **?** icon at the bottom right corner of the calendar to view the following information about the keyboard shortcut keys, which you can use to specify the date range. | Keyboard Shortcut Key | Description | |:----------------------|:------------| | ↵ | Select the date in focus. | | ←/→ | Move backward (left) and forward (right) by one day. | | ↑/↓ | Move backward (up) and forward (down) by one week. | | PgUp/PgDn | Switch months.| | Home/End | Go to the first or last day of a week. | | `Esc` | Return to the date input field. |" } , { "title" : "Managing Notifications > Customer On-call Person", "category" : "customer", "tags" : "", "url" : "/customers/submission-management/on-call-customer/", "date" : "", "content" : "To triage the submissions successfully, our Security Operations team collaborates directly with customer when receiving information or feedback related to submissions for their program. This conversation often happens with comments including mentions to call attention to the message. To improve the ability to notify the right person, your team can now manage who Bugcrowd notifies on mentions going forward. By setting the email addresses for Bugcrowd to notify, it helps speed up the ability to accept and react to submissions.This works with email integration solutions such as:* [OpsGenie](https://docs.opsgenie.com/docs/creating-alerts-via-email)* [PagerDuty](https://www.pagerduty.com/docs/guides/email-integration-guide/)* [VictorOps](https://support.smartbear.com/alertsite/docs/integrations/victorops/email.html)* Many other email intake integrationsTo configure the email addresses that must get notified on mentions, select the required program and go to **Settings** > **Manage Teams**.In the **@customer** box, type the email ID and click **Add**.![add-email](/assets/images/customer/on-call-customer/add-email.png)The **Successfully added** message is displayed.To remove an email ID, click **Remove** for the email ID that you want to remove.![remove-email](/assets/images/customer/on-call-customer/remove-email.png)The **Successfully removed** message is displayed." } , { "title" : "Reporting an Incident", "category" : "customer", "tags" : "submission-management", "url" : "/customers/submission-management/reporting-an-incident/", "date" : "", "content" : "Bugcrowd is a partner of our customers dealing with any security researcher issue. With years of experience in de-escalating and resolving similar issues, our team is providing you the ability to report incidents directly in the platform. Seamless for you while enabling us to react quickly.You can report an incident for the following:* [Reporting an incident on submission](/customers/submission-management/reporting-an-incident/incident-for-a-submission)* [Reporting a general related incident](/customers/submission-management/reporting-an-incident/general-incident)" } , { "title" : "Reporting an Incident > Reporting a General Related Incident", "category" : "customer", "tags" : "", "url" : "/customers/submission-management/reporting-an-incident/general-incident/", "date" : "", "content" : "## Click the Report an Incident LinkClick your profile picture and then click **Report an incident**.![general-report-incident](/assets/images/customer/report-incident/general-report-incident.png)The **Report an incident** page is displayed.![general-page](/assets/images/customer/report-incident/general-page.png)## Select a Reason for the IncidentFrom the **Reason** drop-down menu, select the reason for the incident:* **Behavioural**: Disruptive testing, unprofessional, or aggressive behaviour.* **Disclosure**: Unauthorized or threatened disclosure of vulnerability information.* **Out of scope**: Testing targets outside the approved program scope.![reason](/assets/images/customer/report-incident/reason.png)## Select a Program for the IncidentIn **Programs** section, provide one or more bounty codes that relate to the incident you are reporting.![select-program](/assets/images/customer/report-incident/select-program.png)## Provide Description for the IncidentIn the **Description** section, you can provide the incident details along with additional submissions URLs and/or Researcher user names.To style your text, you can apply the Markdown syntax. For more information, see [using markdown for formatting content](/customers/submission-management/using-markdown-for-formatting-content).![general-description](/assets/images/customer/report-incident/general-description.png)After providing the incident **Reason**, **Programs** (optional), and **Description**, click **Submit incident**." } , { "title" : "Reporting an Incident > Reporting an Incident for a Submission", "category" : "customer", "tags" : "", "url" : "/customers/submission-management/reporting-an-incident/incident-for-a-submission/", "date" : "", "content" : "## Click the Report an Incident IconFor a submission, click the **...** icon and select **Report an incident**.![report-incident-icon](/assets/images/customer/report-incident/report-incident-icon.png)The **Report an incident** page is displayed.![page](/assets/images/customer/report-incident/page.png)## Select a Reason for the IncidentFrom the **Reason** drop-down menu, select the reason for the incident. The available options are:* **Behavioural**: Disruptive testing, unprofessional, or aggressive behaviour.* **Disclosure**: Unauthorized or threatened disclosure of vulnerability information.* **Out of scope**: Testing targets outside the approved program scope.![select-reason](/assets/images/customer/report-incident/select-reason.png)## Provide Description for the IncidentIn the **Description** section, you can provide the incident details along with additional submissions URLs and/or Researcher user names.To style your text, you can apply the Markdown syntax. For more information, see [using markdown for formatting content](/customers/submission-management/using-markdown-for-formatting-content).![description](/assets/images/customer/report-incident/description.png)After providing the incident **Reason** and **Description**, click **Submit incident**.Once you submit the escalation, Bugcrowd will review the escalation and decide the required action.Before our team is able to fully review the submission, if another team member tries to escalate the submission, they will see the below within the escalation form to help prevent double reports.![duplicate-incident-message](/assets/images/customer/report-incident/duplicate-incident-message.png)After reviewing the escalation we will update you with the status which one can see directly within the submission.![submission-escalation-message](/assets/images/customer/report-incident/submission-escalation-message.png)" } , { "title" : "Retesting", "category" : "customer", "tags" : "submission-management", "url" : "/customers/submission-management/retesting/", "date" : "", "content" : "{% include alert.html style="warning" text="**Paid Add-On**: To enable this feature on your program, contact your Account Manager." %}## Request Retest{% include alert.html style="primary" text="**Accepted Submissions Only**: To request a retest a submission must be in the `Unresolved` or `Resolved` state. This is to ensure that the submission acceptance workflow is kept to." %}To request a retest on a submission:1. Go to the recently patched submission.2. Scroll down the submission near the comment box, and click **Request Retest**. ![request-retest](/assets/images/customer/retesting/request-retest.png)3. Now the retest is in a pending state, based on the priority the submission, the retest will be completed within the applicable SLA. ![pending](/assets/images/customer/retesting/pending.png) {% include alert-numbered.html style="primary" text="**One retest at a time**: A retest can only be requested on a submission if it is not already pending." %}## Successful Retest ResponseIf the vulnerability is not present upon retest, the Bugcrowd ASE will mark the retest as **patched**. When this is done, the submission will auto update to the **Resolved** state.![successful](/assets/images/customer/retesting/successful.png)## Failed Retest ResponseIf the vulnerability is present upon retest, the Bugcrowd ASE will mark the retest as **failed**. When this is done, the submission will auto update to the **Unresolved** state.![failed](/assets/images/customer/retesting/failed.png)Once the vulnerability is re-patched, one can re-request a retest on the submission, following the same process as above.Note, we'll send an email to anyone subscribed to the submission with updates on the retest outcome.{% include alert.html style="warning" text="**Limited retesting per submission**: Each submission is able to be retested a maximum of two times." %}" } , { "title" : "Rewarding", "category" : "customer", "tags" : "submission-management", "url" : "/customers/submission-management/rewarding/", "date" : "", "content" : "You can reward a researcher at any point in the submission process. However, it is recommended that you reward researchers when you change a [submission status](/customers/submission-management/submission-status) from "Triaged" to "Unresolved." At this point, you have indicated internally that the submission is valid and needs to be fixed, which means that the researcher's job of finding the vulnerability is done and they should be rewarded for their work.To reward a researcher, go to the Submissions Page and select the submission you want to Reward.Click on the **Add Reward** button located in the Submission Settings.![add-reward](/assets/images/customer/reward-submission/add-reward.png)A pop-up appears and displays the recommended amount you should pay the researcher. This amount is based on the priority assigned to the submission and [Bugcrowd’s Vulnerability Rating Taxonomy](https://bugcrowd.com/vulnerability-rating-taxonomy). You can pay the recommended amount or enter a custom amount in the **Reward amount** field.![researcher-amount](/assets/images/customer/reward-submission/researcher-amount.png)If you want to include a message to the researcher, you can use the **Note to researcher** field. For example, you may want to send a congratulatory message or a provide a reason for the amount rewarded.When you are ready to pay out the reward, click the "Pay" button.The researcher will receive a notification of the reward and your bounty pool will be debited for the amount.{% include alert.html style="primary" text="**Important**: Before you pay out the reward, make sure that you have thoroughly validated the submission and have selected the appropriate amount to reward the researcher. You cannot change the reward after you click **Pay**." %}## Calculating the Worth of a BugBugcrowd provides a recommended reward based on the priority that you assign to the submission. You can tweak the payment as needed. For an overview of what goes into setting the appropriate budget and reward range for your bounty program, read [this article](https://ww2.bugcrowd.com/resources-guide-bugcrowds-defensive-vulnerability-pricing-model).An alert will appear if you reward the researcher an amount outside the recommended range. To continue with the amount, you must provide a note to the researcher. If you do not, you will not be able to submit the reward.![alert](/assets/images/customer/reward-submission/alert.png)## Additional Bonus Rewards or TipsA researcher will often make an additional effort to help you remediate and retest a fixed vulnerability--even after you have paid them out for the original submission. For additional work, we recommend organizations to add an additional bonus for the researcher's time and efforts.To add an additional bonus on top of the researcher's bounty reward:1. Go to the submission you want to reward.2. Click the **Add Additional Reward** button.3. When the additional reward pop-up appears, select an amount from the list or enter a different amount in the custom field.4. When you are ready to award the reward, click **Pay**.![add-additional-reward](/assets/images/customer/reward-submission/add-additional-reward.png)You can reward the researcher as many times as you need. From the "Add Additional Reward" window, you'll be able to see the amount that has already been paid to the researcher and what the new cumulative total will be.![additional-reward-amount](/assets/images/customer/reward-submission/additional-reward-amount.png)" } , { "title" : "Managing Submission Severity > Managing CVSS Scores", "category" : "customer", "tags" : "submission-management", "url" : "/customers/submission-management/severity/cvss/", "date" : "", "content" : "Base metrics measure the impact and exploitability of a vulnerability, which include the attack vector (AV), attack complexity (AC), privileges required (PR), user interaction (UI), scope (S), confidentiality impact (C), integrity impact (I), and availability impact (A).To learn more about the base metrics, see .## Enabling the CVSS CalculatorTo enable the CVSS V3 Calculator:1. Go to **Settings**. ![settings](/assets/images/customer/managing-cvss-scores/settings.jpg)2. Go to the **Additional Fields** tab. ![additional-fields](/assets/images/customer/managing-cvss-scores/additional-fields.jpg)3. Find the **Common Vulnerability Scoring System v3 Calculator** option and turn it on. ![cvss-calc-option](/assets/images/customer/managing-cvss-scores/cvss-calc-option.jpg) The button turns blue when you enable the option. ![cvss-calc-option-on](/assets/images/customer/managing-cvss-scores/cvss-calc-option-on.jpg) After you enable the calculator, you can go to any submission to add a CVSS score.## Adding a CVSS ScoreCVSS scores can be added to any submission using the calculator.To add a CVSS score to a submission:1. Find the **CVSS Base v3.0** field. ![cvss-field](/assets/images/customer/managing-cvss-scores/cvss-field.jpg)2. Click the **Edit** icon next to the field. ![cvss-edit](/assets/images/customer/managing-cvss-scores/cvss-edit.jpg)3. When the calculator appears, specify the values for each metric. To learn more about the metrics and what they measure, go to . ![cvss-base](/assets/images/customer/managing-cvss-scores/cvss-base.jpg)4. Save your changes. After you save your changes, the CVSS score is added to the submission, along with the values you assigned to each metric. ![cvss-score](/assets/images/customer/managing-cvss-scores/cvss-score.jpg) The CVSS score is not visible to researchers. You can edit the field as needed." } , { "title" : "Managing Submission Severity", "category" : "customer", "tags" : "submission-management", "url" : "/customers/submission-management/severity/overview/", "date" : "", "content" : "Crowdcontrol offers five priority levels that you can assign to submissions:* **P1 Critical**: The issue identified in the submission has the highest priority and should be assigned to major blockers. Typically, submissions with a P1 priority cause the application to be unusable and requires immediate attention.* **P2 Severe**: This issue identified in the submission is not critical but significantly impacts the application.* **P3 Moderate**: The submission does not present a critical or severe issue, but does uncover a flaw in the application that needs to be fixed.* **P4 Low**: This submission is the lowest priority and represents a minor issue.* **P5 Informational**: This submission is an informational finding and accepted as a non-rewardable submission.{% include alert.html style="warning" text="**Opt-In Program - P5 Informational Findings**: P5 Informational submissions will automatically be transitioned to a 'Won't Fix' status unless you opt-in to have specified findings triaged into your accepted submission workflow. For more information, see [opt-in program - P5 informational](/customers/submission-management/severity/p5-opt-in)." %}{% include alert.html style="primary" text="**Need help prioritizing your vulnerabilities**: Take a look at our [VRT (Vulnerability Rating Taxonomy)](https://bugcrowd.com/vulnerability-rating-taxonomy) document which outlines Bugcrowd’s baseline priority rating utilizing data from past programs." %}## Go to the Submission DetailsGo to the **Submissions** page. From the **Submissions Inbox**, select the submission you want to assign a priority level.![details-page](/assets/images/customer/submission-priorities/details-page.png)## Set the Priority for a SubmissionClick the **Priority** dropdown and choose the priority you want to assign the submission.![priority](/assets/images/customer/submission-priorities/priority.png)The priority for the submission immediately updates. Every member who subscribes to the submission receives a notification that the priority has changed." } , { "title" : "Managing Submission Severity > Opt-In Program - P5 Informational", "category" : "customer", "tags" : "", "url" : "/customers/submission-management/severity/p5-opt-in/", "date" : "", "content" : "By default, [P5 Informational](/customers/submission-management/severity/overview) findings are automatically transitioned by Bugcrowd to a ['Won't Fix' status.](/customers/submission-management/submission-status) These are submissions seen as an accepted business risk, or do not impact your organization or users of your product. In certain cases, some specified Informational findings may want to be fixed by organizations. Organizations who wish to see P5 Informational findings may opt-in to have Bugcrowd transition specified findings into their accepted submissions workflow. To opt-in and received specified P5 Informational findings contact your dedicated Account Manager or email us at .Organizations may decide to include specific high-level categories or be more granular to include specific subcategories and variants within the P5 Informational findings according to our [Vulnerabilities Rating Taxonomy (VRT)](https://bugcrowd.com/vulnerability-rating-taxonomy)." } , { "title" : "Updating Program Brief > Enabling and Sharing Known Issues", "category" : "customer", "tags" : "", "url" : "/customers/submission-management/sharing-known-issues-with-researchers/", "date" : "", "content" : "This level of transparency has a couple of key benefits:* **Increases efficiency**: Visibility into previously found vulnerabilities provides researchers insights to better focus their testing efforts so that they can submit more unique issues and fewer duplicates.* **Increases testing activity**: Programs that share previously found vulnerabilities are seen as more appealing to researchers because they are more likely to be the first to find unique vulnerabilities and be rewarded.Shared known issues appear on the program brief, are grouped by target, and categorized by VRT classification. Any issue with a status of triaged, unresolved, or duplicate will be visible to the researcher. Researchers can drill down into known issues by VRT classification.{% include alert.html style="primary" text="The Known Issue counts are displayed in the Program Brief for all the submissions on those targets across one's organization and not only for that program." %}By default, the option to share known issues is not enabled. To enable known issue sharing, go to your Program Settings.![settings](/assets/images/customer/sharing-known-issues/settings.jpg)From the **Program Brief** tab, find the **Known Issues** section. Select the **Display known issues count on program brief** option. All P1-P4 issues classified as `triaged`, `unresolved`, `won't fix`, or `duplicate` will be shared.![display-known-issues-option](/assets/images/customer/sharing-known-issues/display-known-issues-option.png)Click **Update program** to apply the changes.![update-program](/assets/images/customer/sharing-known-issues/update-program.png)When the researcher views the program brief, they can view the known issues in the **Targets** area. For more information, see [Viewing Known Issues](/researchers/participating-in-program/reviewing-bounty-briefs/viewing-known-issues)." } , { "title" : "Submission Details > Additional Fields", "category" : "customer", "tags" : "", "url" : "/customers/submission-management/submission-details/additional-fields/", "date" : "", "content" : "{% include alert.html style="danger" text="**Attention: Internal Use Only:** These fields will only be visible to you; researchers will not be able to view these fields." %}{% include alert.html style="warning" text="**Role Requirements-Adding Fields**: Your [role](/customers/role-and-account-management/understanding-roles-and-permissions) in the organization determines your level of activity on Crowdcontrol. **Organization Owners** and **Program Administrators** have permission to add fields to a submission." %}## Navigating to Fields and Settings TabGo to **Settings** and click **Fields and settings**. The **Additional fields** page is displayed.![fields-settings-tab](/assets/images/customer/submission-details/fields-settings-tab.png)## Add, Edit or Remove an Additional Field### Add a FieldType in the new field name in the **Data fields**. This label will be the title of your new field.![add-field](/assets/images/customer/submission-details/add-field.png)Click the **+** button to add the field.### Edit a FieldTo edit a field, select the **Edit** icon located to the right of the field as seen in the image below.![edit-field](/assets/images/customer/submission-details/edit-field.png)The field will appear at the bottom of all submissions on the program as seen in the image below.![updated-field](/assets/images/customer/submission-details/updated-field.jpg)### Remove a FieldTo remove a field, select the **X** icon located to the right of the field.![remove-field](/assets/images/customer/submission-details/remove-field.jpg)A pop-up warning window will appear. This warning will identify the number of submissions that will be affected by removing the selected field.![remove-pop-up](/assets/images/customer/submission-details/remove-pop-up.png)The **affected** number will represent all submissions with text input into the details section of the selected field as seen in the image below.![affected-number](/assets/images/customer/submission-details/affected-number.png)Submissions with the details section left **empty**, as seen below, will not be counted as an **affected submission** however, the field will also be deleted from these submissions.![empty](/assets/images/customer/submission-details/empty.png){% include alert.html style="success" text="**Caution: Submissions Affected:** All text previously input into the details section of the selected field will be permanently deleted across all submissions once the field has been removed." %}To confirm removing the selected field, select the blue **Remove** button.## Add or Edit an Additional Field's Value on a SubmissionTo add or edit the details section on a submission, first, navigate to the **Submissions** page on the [Crowdcontrol navbar](/customers/getting-started/the-crowdcontrol-toolbar) as seen below.{% include alert.html style="warning" text="**Role Requirements for Adding or Editing an Additional Field**: Your [role](/customers/role-and-account-management/understanding-roles-and-permissions) in the organization determines your level of interaction with a submission. **Organization Owners**, **Program Administrators**, and **Program Analyst** have permission to add or edit field details on a submission."%}![submissions-tab](/assets/images/customer/submission-details/submissions-tab.jpg)Next, select a submission in the **Submission Inbox** located on the left. To find a specific submission use the **Submission Search Bar** or **Submission Filters**.![inbox](/assets/images/customer/submission-details/inbox.jpg)To add or edit details in a field, hover over the field. Then select the **Edit** icon to the right as seen below.![edit-icon](/assets/images/customer/submission-details/edit-icon.jpg)Type in the details and then select the blue **Save** button.All added or edited details to fields will be logged on the activity feed below the submission details as seen below.![save](/assets/images/customer/submission-details/save.jpg)## Search Submission by Additional Field InformationYou can search for submissions using keywords found in the additional fields. To do this, use the **Submission Search Bar** located in the top left corner of the **Submissions Page**, as seen in the image below.![search](/assets/images/customer/submission-details/search.png){% include alert.html style="danger" text="**Attention: Submission Search Limitations**: Searching for submissions by additional fields can only be done by searching for the contents of the field. Typing in the name of the additional field will result in an unsuccessful submission search."%}" } , { "title" : "Submission Details > Downloadable Submission Details via CSV", "category" : "customer", "tags" : "", "url" : "/customers/submission-management/submission-details/download-via-csv/", "date" : "", "content" : "Submission details for a specific program can be exported into a CSV file and downloaded to your system. The following fields are included in the file:* ID* Bounty Code* Source* Title* Amount* Bug URL* Description* HTTP Request* Extra Info* Submitted At* Priority* Target Name* Target Category* Custom FieldsTo export the submission details to a CSV file, navigate to the **Submissions** page.![download-submission](/assets/images/customer/submission-details/download-submission.png)Use the tokenized search bar to set filters that dictate which submissions will be included in the CSV file. To export all submissions, clear all filters.![filter](/assets/images/customer/submission-details/filter.png)After the filters are set, click **Download CSV** in the upper right-hand corner. A CSV file will be saved to your system. When you open the file, the submission details for a program will be listed.![download-csv](/assets/images/customer/submission-details/download-csv.png)To download a specific subset of submissions, change the [submission status](/customers/submission-management/submission-status) to the groupings of submissions you wish to export and repeat the process again." } , { "title" : "Submission Details > Editing Submission Details", "category" : "customer", "tags" : "", "url" : "/customers/submission-management/submission-details/editing/", "date" : "", "content" : "To update the **Submission Title**, **VRT**, **Remediation**, **References**, and **CVSS** fields, click the **Edit** icon. For the **Submission Details** section, click the **Edit** button.To update multiple fields at a time, click **Edit** for all the fields, update the information, and click **Save**.## Submission TitleTo edit the submission title that describes the vulnerability, click the **Edit** icon as shown.![title-edit](/assets/images/customer/submission-details/title-edit.png)Edit the text and click **Save**. The changes are saved.![title-save](/assets/images/customer/submission-details/title-save.png)## Vulnerability Rating Taxonomy (VRT)To edit the vulnerability category based on its type and technical severity, click the **Edit** icon.![vrt-edit](/assets/images/customer/submission-details/vrt-edit.png)From the drop-down menu, select the required category.![vrt-select](/assets/images/customer/submission-details/vrt-select.png)Select the **Update the CVSS classification from the VRT** option to make sure that the CVSS Base score is updated. Click **Save**. The changes are saved.![vrt-save](/assets/images/customer/submission-details/vrt-save.png){% include alert.html style="primary" text="**VRT is Mapped to CVSS**: VRT is mapped to CVSS and automatically generates the appropriate CVSS score for any submission based on its VRT categorization.nThe **Update CVSS classification from VRT** option is visible only if the **Common Vulnerability Scoring System v3 Calculator** option is enabled in **Settings** > **Fields and settings** > **CVVS v3**." %}## Submission DetailsTo edit the submission details such as Target affected by the vulnerability, affected Bug URL, and Custom fields (not visible for researchers), click the **Edit** button.![details-edit](/assets/images/customer/submission-details/details-edit.png)Provide the values in the fields and click **Save**. The changes are saved.![details-save](/assets/images/customer/submission-details/details-save.png)## Remediation and ReferencesTo edit remediation and/or references, click the **Edit** icon, update the text, and click **Save**. To style your text, you can apply the Markdown syntax. For more information, see [using markdown for formatting content](/customers/submission-management/using-markdown-for-formatting-content). The changes are saved.The following image shows the **Remediation** section.![remediation-edit](/assets/images/customer/submission-details/remediation-edit.png)The following image shows the **Remediation** section after you have clicked the **Edit** icon.![remediation-save](/assets/images/customer/submission-details/remediation-save.png)The following image shows the **References** section.![references-edit](/assets/images/customer/submission-details/references-edit.png)The following image shows the **References** section after you have clicked the **Edit** icon.![references-save](/assets/images/customer/submission-details/references-save.png)## CVSSTo edit CVSS, click the **Edit** icon.![cvss-edit](/assets/images/customer/submission-details/cvss-edit.png)The **CVSS base score** pop-up window displays the CVSS v3 calculator that allows you to adjust the metrics. Click the required options for each metric. For information on how to score vulnerabilities and interpret the CVSS scores, see [CVSS standards guide](https://www.first.org/cvss/user-guide).Based on your selection, the score is calculated and displayed on the top-right corner.After selecting the required options, click **Save**. The changes are saved.![cvss-save](/assets/images/customer/submission-details/cvss-save.png)" } , { "title" : "Submission Details", "category" : "customer", "tags" : "submission-management", "url" : "/customers/submission-management/submission-details/overview/", "date" : "", "content" : "The Submission Details provides the information you need to investigate an issue reported by a researcher. All bug reports submitted to your program include the required information to help you reproduce and validate the issue.To view the details for a submission, select the submission from the Submissions Inbox.![details](/assets/images/customer/submission-details/details.png)The Submission Details page appears for the submission you have selected.Each submission has the following information:* **Caption**: The title or short description of the vulnerability report.* **Details**: Further details on the vulnerability discovered including what it is, what the possible security impact is, replication steps, and proof of concept.* **VRT (Technical Severity)**: The severity level of the vulnerability based on a 1-5 scale (1 being critical) and the vulnerability classification based our Bugcrowd's Vulnerability Rating Taxonomy (VRT).* **Target**: Identifies which target is affected by the vulnerability.* **Bug URL**: Identifies which URL is affected by the vulnerability.* **HTTP Request*** **CVSS Base**: Bugcrowd's Vulnerability Rating Taxonomy (VRT) is mapped to the CVSS scoring to calculate an automated CVSS score of the vulnerability - this score may be manually adjusted.* **Attachments**: Additional photos or videos to help provide further clarification or visual representation of a proof of concept.{% include alert.html style="primary" text="Additional fields such as **Application Version** can be added to include further clarification on the submission. These fields will not be visible to the researchers and are intended for internal use. For more information, see [additional fields](/customers/submission-management/submission-details/additional-fields)." %}" } , { "title" : "Submission Details > Viewing Priority Percentile in Submission", "category" : "customer", "tags" : "", "url" : "/customers/submission-management/submission-details/priority-percentile/", "date" : "", "content" : "To view the priority percentile, in a submission, hover over the pentagon icon. The all time percentile icon is available in two locations as shown.![priority-percentile](/assets/images/customer/submission-details/priority-percentile.png)When you hover over the pentagon icon, a bar graph will appear displaying the researcher’s priority percentile that includes the following:* All five priority levels, displayed as different colors: P1, P2, P3, P4, and P5* Displays the percentile level in relation to all researchers. The size of the bar and the percentile value indicates the percentile level.{% include alert.html style="primary" text="Percentiles are based on all the valid submissions: Won’t Fix, Duplicate, Unresolved, and Resolved." %}![displayed-percentiles](/assets/images/customer/submission-details/displayed-percentiles.png)The following image shows the different colors displayed for different priority levels.![percentile-colors](/assets/images/customer/submission-details/percentile-colors.png)" } , { "title" : "Assigning Submission Statuses", "category" : "customer", "tags" : "submission-management", "url" : "/customers/submission-management/submission-status/", "date" : "", "content" : "When a researcher submits a submission, its status will always be "New." After you review the submission and determine its validity, you can change the submission status to one that reflects its state more accurately.## Status OptionsThere are three categories of statuses: open, accepted, and rejected. Within each category are the following statuses:* **Open** * New: A submission that has not been reviewed or assigned a status. * Triaged: A submission that has been confirmed valid and unique by the Bugcrowd ASE team and is ready for the customer to accept.* **Accepted** * Unresolved: A valid submission that needs to be fixed. Typically, you should [reward a submission](/customers/submission-management/rewarding) at this point in the process. * Resolved: A valid submission that has been fixed. * Duplicate: A valid submission that is a duplicate of another submission.* **Rejected** * Out of Scope: A submission you reject because it is not in scope with the criteria outlined in the bounty program. * Not Reproducible: A submission you reject because you cannot reproduce it based on the information you have. * Won't Fix: A submission that you reject because it is seen as an accepted business risk, does not impact your organization, or users of your product. * Not Applicable: A submission that you reject because it does not apply to your application.## Changing Submission StatusTo change a submission's status, go to the [Submissions Page](/customers/getting-started/the-submissions-page) and select the submission you want to update.Click on the status dropdown to view a list of available statuses.![change-status](/assets/images/customer/submission-status/change-status.png)Select the status you want to assign to the submission.![select-status](/assets/images/customer/submission-status/select-status.png){% include alert.html style="primary" text="**Duplicate Issues**: If you mark a submission as a duplicate, you must specify the submission that it duplicates. It can be a duplicate of a submission you have received as part of your bug bounty program or a duplicate of an issue tracked outside of Bugcrowd." %}" } , { "title" : "Managing Notifications > Subscribing to a Submission", "category" : "customer", "tags" : "", "url" : "/customers/submission-management/subscribing/", "date" : "", "content" : "{% include alert.html style="primary" text="Subscribing to a submission triggers notifications. Learn more about [notifications](/customers/role-and-account-management/notification-settings)." %}## Subscribing to a Submission DirectlyTo subscribe to a submission, go to the [Submissions Page](/customers/getting-started/the-submissions-page) and select the submission you want to follow.Click **Subscribe**.![subscribe](/assets/images/customer/subscription/subscribe.png)## Other Ways to Subscribe to a SubmissionYou automatically subscribe to a submission when you comment or make a change to it. For example, if you pay out a reward for a submission, you are automatically subscribed to receive updates for any activity on that submission.You indirectly subscribe to a submission when you perform any of the following tasks:* Leave a team note* Send a direct message to a researcher* Pay out a reward* Change the submission status* Change the submission priority* Assign the submission to yourself or another team member## Unsubscribing from a SubmissionTo unsubscribe from a submission, go to the [Submissions Page](/customers/getting-started/the-submissions-page) and select the submission you want to unsubscribe from.Click **Unsubscribe**.![unsubscribe](/assets/images/customer/subscription/unsubscribe.png)" } , { "title" : "Using Markdown for Formatting Content", "category" : "customer", "tags" : "submission-management", "url" : "/customers/submission-management/using-markdown-for-formatting-content/", "date" : "", "content" : "To apply Markdown, add Markdown syntax to the text to indicate the words and phrases for which the formatting must be applied. By default, you are adding text in **Write** mode. After applying Markdown, you can click **Preview** to view the text in **HTML** format.## Markdown Syntax ExamplesTo make a phrase bold, add two asterisks before and after the phrase. When you render the page to HTML, the text will be displayed in bold.![bold](/assets/images/customer/markdown/bold.png)To denote a word or phrase as code, enclose it in tick marks (`).![code](/assets/images/customer/markdown/code.png)To create code blocks, use three ticks before and after the code.![code-block](/assets/images/customer/markdown/code-block.png)To embed images, drag and drop the images, or select and paste the images. The images are uploaded and the Markdown code for the uploaded images are displayed in the **Write** mode.You can embed images such as JPEG, GIF, or PNG files. The file size must not exceed 2 MB.Click **Preview** to view the rendered image in HTML format. The embedded images are displayed in the **Attachments** section.![embed-images](/assets/images/customer/markdown/embed-images.gif)If you delete the code in **Write** mode, then to re-embed the image, click the **Copy (image file name) as Markdown** icon (as shown in the following video). This copies the Markdown for re-embedding the image to clipboard. Paste the code in the text box. The code to embed the image is displayed. Click **Preview** to view the rendered image.To delete the image, in **Attachments** section, click the X icon for the image.![copy-as-markdown](/assets/images/customer/markdown/copy-as-markdown.gif)For more information about the Markdown formatting syntax, see ." } , { "title" : "The Insights Dashboard > Bounty Spending", "category" : "customer", "tags" : "", "url" : "/customers/the-insights-dashboard/bounty-spending/", "date" : "", "content" : "In the **Spend** section on the **Insights** dashboard, you can view a snapshot of the amount (in dollars) spent at any point of time on your bounty program.![Insights Spend](/assets/images/customer/insights/spend/overview.png)## Spending Statistics Based On SubmissionsThe highlighted sections provide information about the spending metrics such as:* Total dollars rewarded to researchers (does not include duplicate submissions)* Lowest reward paid to researchers* Average amount (in dollars) rewarded per valid submission* Highest reward paid to researchers![Insights Spend Reward Breakup](/assets/images/customer/insights/spend/breakdown.png)## Spending Statistics Based on TargetThe highlighted section provides information about the total amount (in dollars) rewarded to researchers for a specific target.![Insights Spend Reward Target](/assets/images/customer/insights/spend/by-target.png){% include alert.html style="primary" text="**Additional Insight**: For additional details about your bounty spending such as the amount remaining in your bounty pool or a time-log of rewards paid, click the **Rewards** tab on the Crowdcontrol navbar. For information about the **Rewards** page, see [the Rewards page](/customers/getting-started/the-rewards-page)." %}" } , { "title" : "The Insights Dashboard > Downloading Report and Exporting Submission Data", "category" : "customer", "tags" : "", "url" : "/customers/the-insights-dashboard/download-reports-and-export-submission-data/", "date" : "", "content" : "The **Insights** dashboard enables you to download a PDF based on the filters or export the submission data as a CSV file. Use the PDF to highlight the progress of your program. To customize and create your own report, integrate your bounty results with other vulnerability assessment data using the CSV file.## Downloading PDFTo download a PDF of your Insights report, click **Download** and then click **Download PDF**.![Insights Download](/assets/images/customer/insights/export/pdf.png)The PDF is downloaded to your system.## Exporting Submission Data to CSVTo export submissions to a CSV file, click **Download** and then click **Export Submissions to CSV**.![Insights Export Submission to CSV](/assets/images/customer/insights/export/csv.png)The CSV file is downloaded to your system.Information available in the CSV is detailed in [Downloadable Submission Details via CSV](/customers/submission-management/submission-details/download-via-csv)" } , { "title" : "The Insights Dashboard > Insights Filtering", "category" : "customer", "tags" : "", "url" : "/customers/the-insights-dashboard/insights-filtering/", "date" : "", "content" : "The **Insights** dashboard provides the ability to customize your report with an extensive filter system. This filtering system allows to create a custom report based on the requirement.For example, you can generate a customized report using the following tokenized search functionality:* Show submissions during the `last month`* With technical severity as `critical` or `severe`* Either `broken authentication and session management` or `insecure data storage` on `*.bugcrowd.com`{% include alert.html style="primary" text="**Default Filters**: After loading the page, default to exclude imported and duplicate submissions, adjustable using the tokenized search functionality." %}![Insights Dashboard Filtering](/assets/images/customer/insights/filtering.png)For information about the filter keys and syntax, see [filtering submissions](/customers/submission-management/filtering).## Persisting Filters to Submission PageTo avoid resetting the filters entered in the tokenized search bar, you can persist the queries from the **Insights** page to the **Submissions** page. To do this, click the **View submission details** link as shown. The **Submissions** page is displayed based on the same filters.![Insights Dashboard Filtering](/assets/images/customer/insights/view-submission-details-link.png)" } , { "title" : "The Insights Dashboard > Program Performance", "category" : "customer", "tags" : "", "url" : "/customers/the-insights-dashboard/program-performance/", "date" : "", "content" : "On the **Insights** dashboard, in the **Performance** section, you can view a snapshot of your program efficiency rating. This helps to identify the average time required for transitioning a submission through the complete workflow (as per the preceding steps).The following image shows the performance metrics for the three stages in the workflow. Also, it displays the [transition time based on severity](#transition-time-based-on-severity).![Insights Program Performance](/assets/images/customer/insights/performance/overview.png){% include alert.html style="warning" text="**Workflow Integration-Sync Jira Issues with Crowdcontrol**: Integrate your application security workflow with [bi-directional Jira](/customers/integration-management/jira). Utilizing the Jira integration enables you to automatically create a Jira ticket with a single click on the Crowdcontrol platform. Also, this integration automatically moves a submission from `Unresolved` to `Resolved` after closing the associated issue in Jira. For more information about workflow integration with Jira, see [Jira](/customers/integration-management/jira)." %}## Triaging SubmissionsWhen researchers submit new submissions, the submissions are in the **New** state. Bugcrowd's Security Analysts identify the valid vulnerability submissions and change the state to **Triaged**. The triaged submissions are transitioned to the security teams.In the following image, the value in **Days in triage** indicates the average number of days taken to triage and transition valid vulnerability submission.![Insights Dashboard Performance Days in Triage](/assets/images/customer/insights/performance/days-in-triage.png)## Reviewing SubmissionsWhen the security team receives the triaged submission, they review and reconfirm whether the vulnerability is valid and requires a fix. If it requires a fix, then the submission state is changed to **Unresolved** and transitioned to the development team.In the following image, the value in the **Days in review** indicates the average number of days taken for a submission to transition to **Unresolved** state.![Insights Dashboard Performance Days in Review](/assets/images/customer/insights/performance/days-in-review.png)## Fixing SubmissionsWhen the development team receives an unresolved submission, they fix the vulnerability and the submission is transitioned from **Unresolved** to **Resolved** state.In the following image, the value in the **Days to fix** indicates the average number of days taken for a submission to transition to **Resolved** state.![Insights Dashboard Performance Days to Fix](/assets/images/customer/insights/performance/days-to-fix.png)### Transition Time Based on SeverityThe **Transition times by severity** section shows the average time taken for submissions to transition through the workflow based on the vulnerabilities' technical severity.![Insights Dashboard Performance Days Transition Time Severity](/assets/images/customer/insights/performance/transition-time-severity.png)" } , { "title" : "The Insights Dashboard > Submission Trends", "category" : "customer", "tags" : "", "url" : "/customers/the-insights-dashboard/submission-trends/", "date" : "", "content" : "The **Submissions Received** section on the **Insights** dashboard provides a comprehensive understanding of the submission trends in your program. It helps to identify actionable submissions that are currently in the **open** state.## Timeline View Of Submissions Received Based On SeverityThe **Submissions received** section provides a timeline view (impact levels) of valid submissions received based on technical severity.![Insights Submissions By Severity](/assets/images/customer/insights/submissions/by-severity.png)Hover over a single column on the graph to view the number of valid submissions for a specific time period.![Insights Submissions By Severity Hover](/assets/images/customer/insights/submissions/by-severity-hover.png)## Timeline View Of Total Submissions Received Over TimeIn the **Submissions Received** section, click **Volume** to view the total number of submissions received for a given time period for a program. You can identify trends and spikes in submissions associated with program adjustments such as new code releases, broadening the scope, increasing the reward range, PR announcements, or incentive programs.![Insights Submissions Received By Volume](/assets/images/customer/insights/submissions/by-volume.png)Hover over a single column on the graph to view the total number of submissions for the specific period.![Insights Submissions By Volume Hover](/assets/images/customer/insights/submissions/by-volume-hover.png){% include alert.html style="primary" text="**Bugcrowd Account Manager Guidance**: Bugcrowd Account Managers provide guidance to help organizations run a healthy and effective bounty program. Contact your assigned account manager or to collaborate with an expert and discuss strategies to help improve and maintain a healthy program." %}## Total Submissions Received**Submissions received** represents the total number of submissions your program has received for a given time period. It includes valid and non-valid (won't fix, out of scope, not reproducible, and not applicable) submissions. However, it does not include duplicate submissions.![Insights Submissions Received](/assets/images/customer/insights/submissions/received.png)## Open Vulnerabilities**Open vulnerabilities** represent the total number of vulnerabilities in the `Open` state from the filtered time period. These are actionable submissions in the `Triaged` or `Unresolved` state that must be addressed by your team. Quickly addressing these submissions will improve your [program performance](/customers/the-insights-dashboard/program-performance).![Insights Open Vulnerabilities](/assets/images/customer/insights/open-vulnerabilites.png)## Fixed Vulnerabilities**Fixed vulnerabilities** represent the total number of vulnerabilities fixed from the filtered time period.![Insights Fixed Vulnerabilities](/assets/images/customer/insights/fixed-vulnerebilities.png)## Target BreakdownThe **Target breakdown** section provides a snapshot view of the total number of submissions received on a target over a specific time period.You can identify targets that:* Receive the highest and lowest number of vulnerabilities* Are most and least secure![Insights Target Breakdown](/assets/images/customer/insights/target-breakdown.png)## Submission Type and SeverityThe **Submission type and severity** section provides a view of the total number of valid vulnerabilities submitted for your program based on the vulnerability type. These vulnerability types represent the top level categories based on [Vulnerability Rating Taxonomy (VRT)](https://bugcrowd.com/vulnerability-rating-taxonomy). The table lists the most common vulnerabilities found in your targets. You can send this information to your development team for improving the application security.The **Technical severity** graph provides a view of the most common submissions received by technical severity over a specific period of time.![Submission type and severity](/assets/images/customer/insights/submissions/type-and-severity.png)" } , { "title" : "The Insights Dashboard", "category" : "customer", "tags" : "reporting", "url" : "/customers/the-insights-dashboard/the-insights-dashboard/", "date" : "", "content" : "## Navigating to Insights DashboardTo view the Insights dashboard, click on the **Insights** tab.![Insights click on tab](/assets/images/customer/insights/click-on-tab.png)## Viewing Submissions ReceivedThe **Submissions Received** section helps you to identify submissions that are currently in the **Open** state. It provides information about:* Submission trends based on technical severity and volume* Number of submissions received (excluding duplicate submissions) for a given period of time* Number of open and fixed vulnerabilities along with their status* Targets that are receiving submissions* Submission type and severityThe following image shows the submission trend based on severity.![Insights Submissions Received by Severity](/assets/images/customer/insights/submissions/by-severity.png)Click **Volume** to view the submission trend based on the number of submissions received for a program.![Insights Submissions Received by Volume](/assets/images/customer/insights/submissions/by-volume.png)The following image shows the number of submissions received, open and fixed vulnerabilities, target breakdown, submission type, and severity.![Insights dashboard](/assets/images/customer/insights/dashboard.png)For more information about submission trends, see [submission trends](/customers/the-insights-dashboard/submission-trends).## Viewing PerformanceThe **Performance** section provides information on how efficiently submissions are transitioning through the workflow.![Insights program performance](/assets/images/customer/insights/performance/overview.png)For more details about performance, see [program performance](/customers/the-insights-dashboard/program-performance).## Viewing Amount Paid to ResearchersThe **Spend** section shows the amount (in dollars) paid to the researchers. For more details, see [bounty spending](/customers/the-insights-dashboard/bounty-spending).![Insights Amount Paid to Researchers](/assets/images/customer/insights/spend/breakdown-focused.png)## Filtering InsightsThe **Insights** dashboard provides filters to customize your report. For more information, see [insights filtering](/customers/the-insights-dashboard/insights-filtering).![Insights Dashboard Filtering](/assets/images/customer/insights/filtering.png)## Downloading PDF and Exporting Submission DataYou can download a PDF of the report based on the filters and/or export the submission data as a CSV file. For more information, see [downloading report and exporting submission data](/customers/the-insights-dashboard/download-reports-and-export-submission-data).![Insights dashboard download PDF](/assets/images/customer/insights/export/menu.png)" } , { "title" : "Changelog > Improved Security and Transparency", "category" : "customer", "tags" : "", "url" : "/changelog/improved-security-and-transparency/", "date" : "2017-06-23 00:00:00 +0000", "content" : "Updates were made to increase the security of passwords usage and improve the transparency of program data." } , { "title" : "Changelog > Print a Submission", "category" : "customer", "tags" : "", "url" : "/changelog/print-a-submission/", "date" : "2017-06-27 00:00:00 +0000", "content" : "Crowdcontrol now makes it easy for you to print out a single submission data." } , { "title" : "Changelog > Improved Clarity and Workflow", "category" : "customer", "tags" : "", "url" : "/changelog/improved-clarity-and-workflow/", "date" : "2017-07-06 00:00:00 +0000", "content" : "This update delivers helpful tools to help improve the platform experience for both researcher and customers." } , { "title" : "Changelog > Simplified Workflow and Improved Filtering", "category" : "customer", "tags" : "", "url" : "/changelog/simplified-workflow-and-improved-filtering/", "date" : "2017-07-13 00:00:00 +0000", "content" : "Updates have been made to provide a smooth workflow for customers switching between programs. This update includes an additional field to the submission inbox filters." } , { "title" : "Changelog > Enhanced Reporting", "category" : "customer", "tags" : "", "url" : "/changelog/enhanced-reporting/", "date" : "2017-07-17 00:00:00 +0000", "content" : "Updates have been made to improve the Rewards tab in Crowdcontrol and deliver additional data for CSV exports of submissions." } , { "title" : "Changelog > VRT Goes Open Source", "category" : "customer", "tags" : "", "url" : "/changelog/vrt-goes-open-source/", "date" : "2017-07-26 00:00:00 +0000", "content" : "The Bugcrowd Vulnerability Rating Taxonomy is now open sourced on GitHub and offers streamlined integration with VRT gem." } , { "title" : "Changelog > Slack Integration", "category" : "customer", "tags" : "", "url" : "/changelog/slack-integration/", "date" : "2017-08-01 00:00:00 +0000", "content" : "New Slack integration has been added to allow quick and easy Crowdcontrol notifications within a dedicated Slack channel." } , { "title" : "Changelog > VRT 1.2, Improved Functionality, and New Integration", "category" : "customer", "tags" : "", "url" : "/changelog/vrt12-improved-functionality-and-new-integration/", "date" : "2017-08-11 00:00:00 +0000", "content" : "Introducing updated version of VRT, 1.2, added a new Qualys integration, and improved platform functionality with increased text character and file attachment support." } , { "title" : "Changelog > Advanced API Documentation", "category" : "customer", "tags" : "", "url" : "/changelog/advanced-api-documentation/", "date" : "2017-09-01 00:00:00 +0000", "content" : "New API documentation has been created to help streamline the process of implementing Crowdcontrol data into your applications." } , { "title" : "Changelog > Seamless Crowdcontrol Quick Search", "category" : "customer", "tags" : "", "url" : "/changelog/seamless-crowdcontrol-quick-search/", "date" : "2017-09-06 00:00:00 +0000", "content" : "This update enables customers to easily highlight syntax and quick search what you're looking for in Crowdcontrol." } , { "title" : "Changelog > Improved Notifications", "category" : "customer", "tags" : "", "url" : "/changelog/improved-notifications/", "date" : "2017-09-15 00:00:00 +0000", "content" : "Crowdcontrol's notification feature is now smarter than ever as it will automatically mark all unread notifications as read once you've viewed the submission." } , { "title" : "Changelog > New Embedded Submission Form", "category" : "customer", "tags" : "", "url" : "/changelog/new-embedded-submission-form/", "date" : "2017-09-22 00:00:00 +0000", "content" : "The Embedded Submission Form creates a channel for users to submit directly on one's website, while gaining the benefits in vulnerability triage and integration into the SDLC that Crowdcontrol provides. As one is expanding their vulnerability disclosure programs, surfacing it within one's website while easing the process for reporters is key to successful program." } , { "title" : "Changelog > New Notification Management and Downloadable Data", "category" : "customer", "tags" : "", "url" : "/changelog/new-notification-management-and-downloadable-data/", "date" : "2017-09-26 00:00:00 +0000", "content" : "This update introduces a new notifications page to centralize the management of notifications and allows customers to download reward data from Crowdcontrol." } , { "title" : "Changelog > Introducing VRT 1.3", "category" : "customer", "tags" : "", "url" : "/changelog/vrt-13/", "date" : "2017-10-04 00:00:00 +0000", "content" : "VRT 1.3 includes changes to improve the alignment of the VRT to the newest release of OWASP's Top 10 2017 and mapped the VRT to CVSS." } , { "title" : "Changelog > Added CVSS Calculator", "category" : "customer", "tags" : "", "url" : "/changelog/added-cvss-calculator/", "date" : "2017-10-10 00:00:00 +0000", "content" : "The CVSS calculator has been added to Crowdcontrol, allowing customers to score vulnerabilities found by Bugcrowd Researchers with CVSS." } , { "title" : "Changelog > Improved Efficiency with CVSS and Notifications", "category" : "customer", "tags" : "", "url" : "/changelog/improved-efficiency-with-cvss-and-notifications/", "date" : "2017-10-19 00:00:00 +0000", "content" : "This update helps reduce the friction of CVSS implementation by populating prior submissions with a CVSS score based on the VRT. Also, improvements have been made to email notifications providing a more efficient means of identifying multiple notifications on a single submission." } , { "title" : "Changelog > New Submission Search Bar and Filtering", "category" : "customer", "tags" : "", "url" : "/changelog/searching-submissions/", "date" : "2017-11-22 00:00:00 +0000", "content" : "This update introduces comprehensive submission filtering capabilities, with a new intuitive search bar providing unique filter sets built to optimize the amount of time spent finding submissions." } , { "title" : "Changelog > Enhanced Security & Improved Functionality Offer Seamless Usability", "category" : "customer", "tags" : "", "url" : "/changelog/enhanced-security-improved-functionality-offer-seamless-usability/", "date" : "2017-12-22 00:00:00 +0000", "content" : "This update includes a security enhancement as we've implemented CSP protections to better protect from possible vulnerabilities. In addition, we released the ability to seamlessly sort the order of the targets on your program brief with drag and drop. The submission search bar has been updated to include additional filtering for both our customers and researchers." } , { "title" : "Changelog > Improved Program Performance Tracking and Platform Efficiency", "category" : "customer", "tags" : "", "url" : "/changelog/improved-program-performance-tracking-and-platform-efficiency/", "date" : "2018-01-17 00:00:00 +0000", "content" : "Introducing a new program performance metric on the Program Page, highlighting the time it takes organizations to validate incoming submissions. Crowdcontrol's submission search bar continues to improve the efficiency of finding submissions by adding the ability to search by VRT categories. Customers can track credential allocation if their program is using credentials." } , { "title" : "Changelog > New Crowdcontrol Enhancements Add Improved Platform Efficiencies", "category" : "customer", "tags" : "", "url" : "/changelog/new-crowdcontrol-enhancements-add-improved-platform-efficiencies/", "date" : "2018-02-16 00:00:00 +0000", "content" : "Significant improvements have been made to Crowdcontrol to build upon its current intuitive experience and offer enhancements that will help improve the efficiency of everyday users. Each enhancement augments the use of existing features such as the Submission Search Bar, Jira integration, Insights Dashboard, and Notifications." } , { "title" : "Changelog > Crowdcontrol Increases Visibility", "category" : "customer", "tags" : "", "url" : "/changelog/crowdcontrol-increases-visibility/", "date" : "2018-04-17 00:00:00 +0000", "content" : "This update introduces a new feature, Known Issue Sharing, enabling organizations to provide added visibility into a program (read [Bugcrowd’s blog](https://www.bugcrowd.com/blog/new-feature-known-issue-sharing-increases-program-visibility-to-heighten-the-focus-of-crowdsourced-security-testing/) to learn more). Bugcrowd now makes it easy to view changes and updates made Crowdcontrol by visiting ." } , { "title" : "Changelog > Heightened Platform Security and Usability", "category" : "customer", "tags" : "", "url" : "/changelog/heightened-platform-security-and-usability/", "date" : "2018-04-17 00:00:00 +0000", "content" : "Advancements have been made to Crowdcontrol to bolster the security of the platform as well as improve its usability. The updates now offer advancements that offer a workflow built to improve the efficiency of everyday users." } , { "title" : "Changelog > Enhance Program Metrics", "category" : "customer", "tags" : "", "url" : "/changelog/enhance-program-metrics/", "date" : "2018-04-21 00:00:00 +0000", "content" : "Program metric has been adjusted and improved to deliver helpful data around the health of a program. Refinements to the data provided on the insights page as well as on the bounty brief now provide increased accuracy." } , { "title" : "Changelog > Updating to VRT 1.4", "category" : "customer", "tags" : "", "url" : "/changelog/updating-to-vrt-14/", "date" : "2018-06-19 00:00:00 +0000", "content" : "VRT 1.4 includes general updates/refined classifications along with mappings to Common Weakness Enumeration (CWE) and remediation advice." } , { "title" : "Changelog > Multiple Jira Project Support & Flexible Jira Sync", "category" : "customer", "tags" : "", "url" : "/changelog/multiple-jira-project-support-flexible-jira-sync/", "date" : "2018-06-21 00:00:00 +0000", "content" : "Crowdcontrol now supports multiple Jira projects. Customers can now choose which Jira project a submission should be pushed to. Developers and security engineers often add their own notes to Jira tickets. Crowdcontrol's Jira integration now preserves their edits by only syncing selective Jira fields upon submission updates." } , { "title" : "Changelog > Enhanced Security Tracking Capability", "category" : "customer", "tags" : "", "url" : "/changelog/enhanced-security-tracking-capability/", "date" : "2018-07-02 00:00:00 +0000", "content" : "Crowdcontrol makes it easy to identify unusual activity on your account with the Security Event Log, which tracks events such as new sessions or modifications to your credentials. This is available for both customers and researchers." } , { "title" : "Changelog > Advanced Crowdcontrol UX", "category" : "customer", "tags" : "", "url" : "/changelog/advanced-crowdcontrol-ux/", "date" : "2018-07-03 00:00:00 +0000", "content" : "A number of improvements have been implemented to Crowdcontrol delivering a more intuitive and effective user experience." } , { "title" : "Changelog > Improved Platform Usability", "category" : "customer", "tags" : "", "url" : "/changelog/improved-platform-usability/", "date" : "2018-07-11 00:00:00 +0000", "content" : "Advancements have been made to Crowdcontrol to improve its usability. These updates deliver increased functionality built to improve the efficiency of everyday users. For example, tokenized search capabilities have been enhanced for all users to find exactly what they’re looking efficiently and effectively. Additionally, Known Issue Sharing now displays `Won’t Fix` submissions to help researchers avoid spending time on vulnerability types they may be duped against." } , { "title" : "Changelog > Hacker Education with Bugcrowd University", "category" : "customer", "tags" : "", "url" : "/changelog/hacker-education-with-bugcrowd-university/", "date" : "2018-08-08 00:00:00 +0000", "content" : "Bugcrowd is excited to announce Bugcrowd University to help educate and empower the Crowd with the latest skills and methodologies." } , { "title" : "Changelog > Crowdcontrol Usability More Intuitive", "category" : "customer", "tags" : "", "url" : "/changelog/crowdcontrol-usability-more-intuitive/", "date" : "2018-08-16 00:00:00 +0000", "content" : "Improvements were made to increase the platform’s ease-of-use. Updating submissions are now easier than ever, and Bugcrowd personnel are now identified within the activity feed." } , { "title" : "Changelog > Improved SDLC and Remediation Support", "category" : "customer", "tags" : "", "url" : "/changelog/improved-sdlc-and-remediation-support/", "date" : "2018-08-16 00:00:00 +0000", "content" : "Updates have been made to improve the ease of sharing vulnerability data with Development through Crowdcontrol’s Jira integration and downloadable CSV reports." } , { "title" : "Changelog > Improvements Made to Boost Submission Workflow Efficiency", "category" : "customer", "tags" : "", "url" : "/changelog/improvements-made-to-boost-submission-workflow-efficiency/", "date" : "2018-09-19 00:00:00 +0000", "content" : "Significant improvements have been made to increase the speed and efficiency of the submission workflow within Crowdcontrol. Submission blockers have been added to inform users (customers and researcher) when a specific action is required to further assist the vulnerability triage, validation, and fix process. It is now easier to adjust submission data as users can now edit multiple fields at one time. Searching for submissions has been improved with the ability to apply multiple sort methods to the tokenized search." } , { "title" : "Changelog > Minor Tokenized Search Bugs Fixed", "category" : "customer", "tags" : "", "url" : "/changelog/minor-tokenized-search-bugs-fixed/", "date" : "2018-09-22 00:00:00 +0000", "content" : "A few minor bugs were identified and fixed. No longer will duplicate query values appear and now you can search for dates in the latter half of the month." } , { "title" : "Changelog > Crowdcontrol Improves Adjusted Payment Workflow", "category" : "customer", "tags" : "", "url" : "/changelog/crowdcontrol-improves-adjusted-payment-workflow/", "date" : "2018-09-24 00:00:00 +0000", "content" : "Although rare, customers have made a mistake when rewarding for vulnerabilities and, therefore, adjustments may be needed. If a rewards has been cancelled, researchers will be notified and informed of the reason for the change. Customers can then award the correct amount." } , { "title" : "Changelog > Enhancements Made to Jira Integrations", "category" : "customer", "tags" : "", "url" : "/changelog/enhancements-made-to-jira-integrations/", "date" : "2018-10-03 00:00:00 +0000", "content" : "Advancements to the Jira integration have been made to enhance and enrich the data/ shared with development. The integration now offers more customization to fit customer needs with the ability to automatically push submission comments from Crowdcontrol into Jira, map the VRT to fields within Jira, and support markdown conversation from Bugcrowd to Jira." } , { "title" : "Changelog > Updating to VRT 1.5", "category" : "customer", "tags" : "", "url" : "/changelog/updating-to-vrt-15/", "date" : "2018-10-27 00:00:00 +0000", "content" : "The latest VRT release (version 1.5) includes the following updates:* Improving transparency by adding multiple entries for commonly reported issues* Aligning the baseline severity rating to best reflect the market by increasing taxonomy granularity" } , { "title" : "Changelog > 2FA Check Feature", "category" : "customer", "tags" : "", "url" : "/changelog/2fa-check-feature/", "date" : "2018-10-30 00:00:00 +0000", "content" : "We have included check marks to indicate which team members have their Two Factor Authentication (2FA) enabled. Allowing customers to note who on their team needs to turn on their 2FA to have compliance across the team.{% include alert.html style="primary" text="Using SAML as a means of authentication can leverage two factor through their provider and not the platform, thus we do not display the check next to SAML authenticated users. " %}![2fa-check](/assets/images/customer/two-factor-authentication/bounty-analyst.png)" } , { "title" : "Changelog > Add Reward Update", "category" : "customer", "tags" : "", "url" : "/changelog/add-reward-update/", "date" : "2018-11-01 00:00:00 +0000", "content" : "The Add Reward model now shares when a suggested reward amount differs from the range currently in the program settings.{% include alert.html style="primary" text="If the range changes, researchers can still expect to be paid according to what was advertised at the time they created their submissions." %}![add-reward-update](/assets/images/customer/changelog/add-reward-update.png)" } , { "title" : "Changelog > Updating to VRT 1.6", "category" : "customer", "tags" : "", "url" : "/changelog/vrt-16/", "date" : "2018-11-14 00:00:00 +0000", "content" : "Updated VRT 1.6 includes two major changes: revision to internal SSRF, and how we rate email spoofing, more specifically the baselines around SPF and DMARC." } , { "title" : "Changelog > Application Security Engineer Listed", "category" : "customer", "tags" : "", "url" : "/changelog/application-security-engineer-listed/", "date" : "2018-12-18 00:00:00 +0000", "content" : "With Bugcrowd triage, easily identify who your current primary Application Security Engineer (ASE) is right from your program summary page.![application-security-engineer-listed](/assets/images/customer/changelog/application-security-engineer-listed.png)" } , { "title" : "Changelog > File Support Update", "category" : "customer", "tags" : "", "url" : "/changelog/file-support-update/", "date" : "2018-12-18 00:00:00 +0000", "content" : "No longer need to upload large files to external sources, platform now supports 100MB for all file uploads. Allowing customers and researchers to upload larger files than ever before." } , { "title" : "Changelog > Updated Standard Disclosure Terms", "category" : "customer", "tags" : "", "url" : "/changelog/we-have-recently-updated-the-standard-disclosure-terms/", "date" : "2018-12-18 00:00:00 +0000", "content" : "We have recently updated the Standard Disclosure Terms." } , { "title" : "Changelog > Bugcrowd mention", "category" : "customer", "tags" : "", "url" : "/changelog/bugcrowd-mention/", "date" : "2019-02-16 00:00:00 +0000", "content" : "We've improved the way communicating with the triage team works. Now you can mention @Bugcrowd and we'll forward the message to the right triage team member.![bugcrowd-mention](/assets/images/customer/changelog/bugcrowd-mention.png)" } , { "title" : "Changelog > Comparison Operators for Dates", "category" : "customer", "tags" : "", "url" : "/changelog/comparison-operators-for-dates/", "date" : "2019-02-16 00:00:00 +0000", "content" : "Improved Tokenized date search - The ">" and "=" and "<=", where the dates specified are now included in the search. For example, the search for <= Feb 28, 2019 will include submissions on Feb 28, 2019.![comparison-operators-for-dates](/assets/images/customer/changelog/comparison-operators-for-dates.png)" } , { "title" : "Changelog > Customer Avatar", "category" : "customer", "tags" : "", "url" : "/changelog/customer-avatar/", "date" : "2019-02-16 00:00:00 +0000", "content" : "Your avatar adds a face to your account and personalizes it. You can use any photo as long as its appropriate and representative of who you are.However, if you choose not to add a profile photo, a unique avatar will be generated and assigned to your account.![customer-avatar](/assets/images/customer/update-personal-settings/profile-avatar.png)" } , { "title" : "Changelog > GitHub Integration", "category" : "customer", "tags" : "", "url" : "/changelog/github-integration/", "date" : "2019-02-20 00:00:00 +0000", "content" : "Rapid and reliable handoff between Security and Development is crucial for consistent vulnerability patching. Bugcrowd's new GitHub integration makes it easier to create and contextualize every request, reducing Security overhead and helping Developers fix faster.![github-integration](/assets/images/customer/github/integrations-link.png)" } , { "title" : "Changelog > Updating to VRT 1.7", "category" : "customer", "tags" : "", "url" : "/changelog/updating-to-vrt-17/", "date" : "2019-03-15 00:00:00 +0000", "content" : "We recently released VRT v1.7, with a platform integration planned for the week of March 25th. The release includes but is not limited to the below updates. For more information, see [VRT 1.7](https://www.bugcrowd.com/blog/bugcrowd-releases-vulnerability-rating-taxonomy-1-7-with-new-automotive-security-misconfiguration/)." } , { "title" : "Changelog > Integration Updates", "category" : "customer", "tags" : "", "url" : "/changelog/integration-updates/", "date" : "2019-03-20 00:00:00 +0000", "content" : "We have continued maturing and growing our SDLC integrations to enable easy and secure ticket management between Crowdcontrol and whatever system your organization leverages. With this release we have updated our Jira integration to support OAuth while adding ServiceNow to our pre-built integration list.![integration-updates](/assets/images/customer/changelog/integration-updates.png)" } , { "title" : "Changelog > Program Search Launched", "category" : "customer", "tags" : "", "url" : "/changelog/program-search/", "date" : "2019-04-02 00:00:00 +0000", "content" : "Hackers are always looking for their next target to dig into. Now with our new program search, this is more flexible and easier than ever before. With new advanced text search and filtering, researchers can search by skill, reward incentives, as well as programs previously submitted to, some of the many levers Bugcrowd’s expert team uses to invigorate program participation over time. This creates better visibility across all programs and helps customers connect with the right researchers for their program.![program-search-launched](/assets/images/customer/changelog/program-search-launched.png)" } , { "title" : "Changelog > Retesting Update", "category" : "customer", "tags" : "", "url" : "/changelog/retesting/", "date" : "2019-04-10 00:00:00 +0000", "content" : "Identifying critical vulnerabilities is only the first step to reducing risk. Once development patches a submitted vulnerability via their crowdsourced program, someone needs to verify the patch is effective. Not yet patched or improperly fixed critical vulnerabilities means the company remains at risk of costly exploits.Now with Crowdcontrol, customers can manage retesting of their submissions while receiving updates on progress. Bugcrowd’s retesting feature offloads security patch validation, saving resources and lowering risk. Customers can initiate this process on their vulnerabilities with a click on the submission page.Note this functionality is applicable to select products, otherwise can be enabled via add-on by your Account Manager at .![retesting-update](/assets/images/customer/retesting/successful.png)" } , { "title" : "Changelog > Image Embeds", "category" : "customer", "tags" : "", "url" : "/changelog/image-embeds/", "date" : "2019-04-11 00:00:00 +0000", "content" : "When writing vulnerability reports and submissions, it is vital to be as clear and detailed as possible to help streamline triage, validation, and acceptance. The markdown fields allowed for rich text functionality, making it easy to update and review reports.Now both the Crowd and Bugcrowd customers can embed images in-line on submissions and comments. This will enable the relevant image attachments to be shown closer to the content describing it, ultimately providing more context for the report, resulting in quicker triage, acceptance and remediation times.![image-embeds](/assets/images/customer/changelog/image-embeds.gif)" } , { "title" : "Changelog > Safe Harbor", "category" : "customer", "tags" : "", "url" : "/changelog/safe-harbor/", "date" : "2019-05-03 00:00:00 +0000", "content" : "Security research requires explicit permission to begin testing, but even with that, the lack of clear legal scope can put hackers, companies and consumers at risk. Now with our safe harbor tracking in platform, one can set their level of safe harbor so that researchers can filter appropriately within the programs list. Go to your bounty brief settings to view your status, and reach out to your account manager to see how to adjust your program to be safe harbor compliant.![safe-harbor](/assets/images/customer/changelog/safe-harbor.png)" } , { "title" : "Changelog > Public Program Credential Support and Improved Target Management", "category" : "customer", "tags" : "", "url" : "/changelog/public-program-credentials/", "date" : "2019-05-08 00:00:00 +0000", "content" : "Program onboarding is a key component to program success. We recently released a Crowdcontrol feature that streamlines credential management for easier researcher onboarding and workflow.Customers running public programs now have the flexibility in-platform to handle credential assignments faster without damaging the researcher experience. This update allows for seamless credential distribution.![public-program-credential-support](/assets/images/customer/changelog/public-program-credential-support.png)" } , { "title" : "Changelog > Customer Blockers", "category" : "customer", "tags" : "", "url" : "/changelog/customer-blockers/", "date" : "2019-08-13 00:00:00 +0000", "content" : "To further expedite our customer's ability to get the crucial information needed to action a finding, we are providing them the ability to set blockers on Bugcrowd's ASEs and Researchers, flagging the need for more information around impact or reproduction of the finding. These will operate similar to the existing blockers that Bugcrowd ASE's have been using since last year, one can set a blocker within the comment field at the bottom of a submission (as seen below) which will then be visible to all users on the submission.![customer-blocker](/assets/images/customer/changelog/customer-blocker.png)" } , { "title" : "Changelog > Filtering Customer Blockers", "category" : "customer", "tags" : "", "url" : "/changelog/filtering-customer-blockers/", "date" : "2019-08-21 00:00:00 +0000", "content" : "We created a straightforward approach for Customers to identify submissions blocked on the Program Owners needing to be acted upon. The state signifies Bugcrowd's ASEs or Researchers are waiting for additional clarification before action will be taken.![filtering-customer-blockers](/assets/images/customer/changelog/filtering-customer-blockers.png)" } , { "title" : "Changelog > Program Announcements", "category" : "customer", "tags" : "", "url" : "/changelog/program-announcements/", "date" : "2019-10-23 00:00:00 +0000", "content" : "Customers can now communicate directly with researchers and let them know the updates related to their program. Announcements keep your subscribed researchers informed of the latest updates to your platform's features, program scope, and incentives, while providing new researchers looking for new work, a peek into opportunities for testing. When published, the announcement is posted to subscribed researcher's emails and within the program brief for those that have access.With this new self-service capability, we wanted to be sure to provide you with insight from our experience of sending over two thousand announcements over the past two and a half years, thus you have access to provided a variety of templates based on the reason selected for the announcement. These templates render markdown to provide table breakdowns of new scope, links directly to the target, along with a reply-to and link to email Bugcrowd Support for any further help.Go to your Program Settings, then click on the Announcement tab to let the crowd know about your latest updates to test.![program-announcement](/assets/images/customer/program-announcements/new.png)" } , { "title" : "Changelog > IBM Resilient Integration", "category" : "customer", "tags" : "", "url" : "/changelog/ibm-resilient-integration/", "date" : "2019-11-29 00:00:00 +0000", "content" : "IBM Resilient integration is added that allows you to synchronize accepted submissions in Bugcrowd to your IBM Resilient platform. You can also create a new IBM Resilient incidence with vulnerability data from Bugcrowd so that customers can fix the vulnerability.![ibm-resilient](/assets/images/customer/ibm-resilient/add-ibm-resilient-integration.png)" } , { "title" : "Changelog > CrowdStream and Coordinated Disclosure", "category" : "customer", "tags" : "", "url" : "/changelog/crowdstream-and-coordinated-disclosure/", "date" : "2019-12-20 00:00:00 +0000", "content" : "CrowdStream is Bugcrowd's public activity feed and displays the activities for unresolved, resolved, or coordinated disclosed submissions depending on the configured level of visibility for a program.This activity feed displays the program name, researcher name, priority, target, date of resolution or acceptance, and/or reward amount based on the configured visibility settings. The **Exclude this finding from CrowdStream** toggle option per-submission hides submissions even if the submission is accepted or disclosed.Coordinated Disclosure allows Program Owner and Researchers to work together and publicly disclose details about a submission. When a Program Owner enables Researchers to disclose submissions, Researchers with a valid submission can create a request for disclosure which sends a notification to the Program Owner.When requesting disclosure, Researchers must provide a summary and choose whether they want limited or full information to be disclosed. The Program Owner can approve or deny any request. When they approve the request, they can change the visibility and update the summary information if required.If both parties have agreed on the reported details, the disclosure is finalized and displayed in CrowdStream. Program owners can also set the CrowdStream visibility for each submission. For more information, see [CrowdStream activity feed settings by program owner](/customers/submission-management/disclosure-and-crowdstream-settings).The following image shows disclosed and accepted submissions.![disclosed-submission-in-crowdstream](/assets/images/customer/changelog/disclosed-submission-in-crowdstream.png)" } , { "title" : "Changelog > Slack Integration Notification for Blockers", "category" : "customer", "tags" : "", "url" : "/changelog/slack-integration-notification-for-blockers/", "date" : "2020-03-05 00:00:00 +0000", "content" : "Whether accepting, paying unblocking, or resolving submissions there is a lot to do in Crowdcontrol. While we help you get the work done in platform, often one needs to be told there is work to do. We have now expanded our Slack integration to now cover all the work one need to be informed of, adding in support for notification on Blockers for all customers. This has been enabled on by default to ensure y'all don't miss any work, but ya have the ability to manage it right from your slack settings.![slack-notifications-blocker](/assets/images/customer/changelog/slack-notifications-blocker.png)" } , { "title" : "Changelog > Customer On-call Person", "category" : "customer", "tags" : "", "url" : "/changelog/customer-on-call-person/", "date" : "2020-03-25 00:00:00 +0000", "content" : "The partnership between Bugcrowd's Triage Team and our customers requires collaboration and quick response to help cut down the time it takes to triage and accept vulnerabilities. Last year we made it easier for customers to reach out to the Triage Team by easily mentioning `@bugcrowd` within comments. This has simplified customer workflows of identifying the right person at Bugcrowd while improving our Triage Team's ability to respond to such. Now we're excited to launch `@customer` mentions, giving customers the ability to manage who we reach out to for triage related discussions. The field gives you full control by allowing multiple email addresses to be set, enabling support for PagerDuty, OpsGenie, VictorOps and any other alerting and incident management software that supports email intake. Once filled it, our Triage Team will leverage `@customer` going forward on your program.Go to your program, then **Settings** > **Manage Teams** and in **@customer**, you can configure the email addresses.![customer-on-call-person](/assets/images/customer/on-call-customer/add-email.png)" } , { "title" : "Changelog > Self-Service Program Initiation Now Available", "category" : "customer", "tags" : "", "url" : "/changelog/self-service-program-initiation-now-available/", "date" : "2020-03-28 00:00:00 +0000", "content" : "Existing customers can now initiate programs through the self-service program creation workflow via the **+Start now** button on the program dashboard at . The current supported self-service program types are; Bug Bounty, On-Demand, and Vulnerability Discloser Program.![onboarding-dialog](/assets/images/customer/add-new-engagement/select-engagement.png)" } , { "title" : "Changelog > New features in Attack Surface Management - Asset Inventory", "category" : "customer", "tags" : "", "url" : "/changelog/new-features-in-attack-surface-management-asset-risk/", "date" : "2020-03-31 00:00:00 +0000", "content" : "**Multi-Inventory**Customers can now have more than one inventory and easily switch between them. With multi-inventory, assets can be organized by department, team, or any other function imaginable. For example you could set up an inventory for assets your company owns, and another inventory of your competitor or acquisition targets assets.![multi-inventory](/assets/images/customer/changelog/multi-inventory.png)**Choose to Add Subdomains**By design, ASM: Asset Inventory automatically discovers subdomains for any domain name added to an inventory. Now, customers have the new option of adding individual subdomains to their inventory, giving them precision control.![subdomain](/assets/images/customer/changelog/subdomain.png)**Added Description field to smart folders**Customers can now add a short description, underneath the title of a Smart Folder. Making it easier to keep track of a follow-up action, associated department, or any other description imaginable.![descriptions](/assets/images/customer/changelog/descriptions.png)**Improved Visibility of “select all assets” feature**Quickly select or deselect all assets across multiple pages, with the click of a button.![visibility](/assets/images/customer/changelog/visibility.png)**Smart Folder duplicate name check**To avoid confusion around Smart Folders they now must have unique names.![smart-folder-duplicate](/assets/images/customer/changelog/smart-folder-duplicate.png)" } , { "title" : "Changelog > Attack Surface Management Asset Inventory - Dashboards and other updates", "category" : "customer", "tags" : "", "url" : "/changelog/attack-surface-management-asset-inventory-dashbards-feature-updates/", "date" : "2020-04-16 00:00:00 +0000", "content" : "**Inventory Dashboards**You can now render your inventory as dashboards for easier consumption.![inventory-dashboard](/assets/images/customer/changelog/inventory-dashboard.png)![ports-asn](/assets/images/customer/changelog/ports-asn.png)**Export Asset Details**You can now export the Asset meta data to a `.csv` or `.xlsx`![export-asset-details](/assets/images/customer/changelog/export-asset-details.png)**Manual Metadata Refresh**Quickly update on asset metadata![manual-metadata-refresh](/assets/images/customer/changelog/manual-metadata-refresh.png)**User Management Enhancements**You know have the ability to do mass invites and easily see who has access to your inventory.![user-management-enhancements](/assets/images/customer/changelog/user-management-enhancements.png)![team](/assets/images/customer/changelog/team.png)" } , { "title" : "Changelog > Viewing NDA Compliance Status", "category" : "customer", "tags" : "", "url" : "/changelog/viewing-compliance-status/", "date" : "2020-07-30 00:00:00 +0000", "content" : "Our customers have compliance requirements to meet in order for testing to be started on their programs. One of these can be contractual requirements that require researchers to sign a contract in order to gain eligibility to related programs. Now researchers work to sign these documents in-platform to make it easier than ever to activate on your program. Customers also gain visibility of researchers signature status right within the Participants tab.![Customer Compliance Requirements](/assets/images/customer/researchers/compliance-requirements.png)" } , { "title" : "Changelog > Inviting Researchers", "category" : "customer", "tags" : "", "url" : "/changelog/inviting-researchers/", "date" : "2020-08-22 00:00:00 +0000", "content" : "You can now invite researchers to your program using their email address. This is possible only if the researcher is already on the Crowdcontrol platform.![invitations](/assets/images/customer/inviting-researchers/invite.png)" } , { "title" : "Changelog > API Token usage", "category" : "customer", "tags" : "", "url" : "/changelog/api-token-usage/", "date" : "2020-09-01 00:00:00 +0000", "content" : "Many of Bugcrowd’s customers are heavy users of the API, and use it extensively to integrate crowdsourced security into their workflows. As we roll out the new API to everybody, we want to ensure that customers have control and visibility to the usage of their API tokens. Especially for decentralized organizations, it is important for your Security team to know who’s using the API tokens and when.To address this, the platform now provides details of API key usage, including the IP address and time stamp of last use. This audit log is currently available to Org Owner roles on Bugcrowd and applies to current and future use of the Bugcrowd API.![api-token-usage](/assets/images/customer/changelog/api-token-usage.png)" } , { "title" : "Changelog > New Documentation Site", "category" : "customer", "tags" : "", "url" : "/changelog/new-documentation-site/", "date" : "2020-09-09 00:00:00 +0000", "content" : "Our new documentation changes the way you can learn about how to work on Bugcrowd. New Design, improved search and a changelog with an Atom feed to stay in the know.![New Documentation Site screenshot](/assets/images/customer/changelog/new-documentation-site.png)" } , { "title" : "Getting Started with the API", "category" : "api_webhook", "tags" : "api", "url" : "/api/getting-started/", "date" : "", "content" : "AuthenticationAccess tokens are provisioned on a per-user basis and provide authorization to resources based on the user’s role.Multiple access tokens can be provisioned per user, and it is possible to revoke access to a token whenever needed by the deleting that token.Bugcrowd enforces API rate limits to 60 requests / minute / IP Address.Provisioning CredentialsTo provision an access credentials, log in to Bugcrowd and browse to the API Credentials page by clicking on your profile picture and selecting API Credentials from the drop-down menu.Enter a descriptive name for the credentials, usually the name of the application you will be creating to access the API, then click Create API Credentials.A section with your token auth credentials will be displayed. Please record these credentials before leaving the page, they are only displayed upon creation and won’t be viewable after the page is refreshed.The authorization tokens used in this reference are example tokens only, you will need to generate your own tokens for use with the API.Token AuthenticationTo access the API using token authentication, use the provided Authorization request header:curl --include --header "Accept: application/vnd.bugcrowd+json" --header "Authorization: Token gvnzkgmklo:gPYS2SMN3zJ_k-QAEvyMAcr_PqsGlA-vJ2voA7ysZ635GlT_VZdr2Sg3_YCctkM3SwnBtDCn" 'https://api.bugcrowd.com/bounties'Viewing API KeysYou can view the API keys being used, expired, or inactive and revoke the tokens as required. You can also view the IP address and time stamp of last use. This is currently available for Organization Owner roles on Bugcrowd and applies to the current and future use of the Bugcrowd API.To view API keys, go to your profile and click Team members.The Organization’s team members page displays the Inactive, Active, and Expired API Keys.To revoke an API key, click the revoke icon.The following pop-up message is displayed. Click Revoke to revoke the API key." } , { "title" : "Getting Started with the API > API Versioning", "category" : "api_webhook", "tags" : "", "url" : "/api/versioning/", "date" : "", "content" : " 2020-10-01.pre 2020-09-01.pre About the Bugcrowd APIWe are excited to be developing a whole new API for interacting with the Bugcrowd platform programmatically. This set ofdocuments relates entirely to the new API. If you’re looking for docs for our existing (v3) API, you can check them outhere.We’ll be rolling out the new API very soon. For now, if you’d like to start trying it out please reach out to request access.Accept HeaderTo request resources from the Bugcrowd API, please include either of the following Accept headers in the request.Accept: application/jsonAccept: application/vnd.bugcrowd.v4+json# Temporary placeholder until date-based versioning releasedContent TypesThe Bugcrowd API always returns the following Content-Type header.Content-Type: application/jsonMarkdown PropertiesSome Bugcrowd resources use Markdown fields to allow for rich text functionality. Markdown fields can be retrieved or set in Markdown format only. Check the specific API doc page for each resource to see more information about Markdown enabled fields.Additional Media HeadersEach response from the API will contain a custom Bugcrowd header specifying the type of media returned in the response body:X-Bugcrowd-Media-Type: bugcrowd.v4; format=json" } ]