Managing Targets at Program Level

Adding Targets at Program-level and Defining Rewards for Targets

At a program-level, you must first create a target group and then add targets to that group.

You can add one or more in scope target groups and define your program’s reward structure (if a paid engagement) for each group.

Out of Scope Target Group: To avoid miscommunication, define targets that are out of scope for the engagement in the Out of Scope target group.

Pen Test Targets: Targets for Pen Test are now managed in the engagement settings, not the program settings. To learn more, view Managing Targets at Engagement Level.

Use the following three resources to help better understand and identify which targets should be set in or out of scope:

Adding Target Groups

To add target groups, follow these steps:

  1. Select an engagement, then go to Settings and click on Scope & Rewards.

    scope-rewards

  2. On the Scope & Rewards page, click Target groups.

    The Target groups page is displayed.

    target-groups

  3. To create a target group, click Add group.

    add-group

    The Add target group page is displayed.

    add-target-group

  4. In Title, specify a name for your target group.

  5. In Description, provide a detailed description of the target group. This includes details about:

    • Target documentation
    • System diagrams
    • Focus areas

    You can style your text using the Markdown syntax. For more information, see using markdown for formatting content.

    target-group-title-description

  6. If you want researchers to test all the targets in the group, then select the This target group is In-scope option.

    target-in-scope-option

  7. If you plan to compensate for unique, valid findings, select the This target group pays monetary rewards option.

    pays-monetary-rewards-option

    We have pre-set reward ranges depending on how mature your asset’s security posture is, displayed as High, Medium, and Low. By selecting one of these options, the ranges will auto-fill, but you can adjust this as required by selecting Custom.

    pre-defined-reward-range-high

  8. If you selected Custom, specify the minimum and maximum values in the text boxes for each priority you plan to compensate for unique, valid findings.

    priority-based-rewards

Adding Targets to Target Group

To add targets to a target group, follow these steps:

  1. In Targets, click Add new target.

    add-new-target

    The Add target pop-up window is displayed.

    Feature Restriction: Targets may only be manually added and removed by a user before a program has been launched live. Once the program has been launched live, contact your Account Manager to add or remove any targets.

  2. Specify the following:

    • Target name: Select a pre-existing target or fill-in the name of the to be created target.
    • Target URL / Location (optional): Provide the complete URL for researchers to access this target. It must be a valid example of an instance of this target such as a website, application, API, or the app store link to the mobile application. Bugcrowd’s servers will occasionally poll these targets to test connectivity and composition.
    • Category: Select the category that best fits your target.
    • Tags(optional): Select tags to indicate the skills and technologies that will be helpful in testing this target.

    add-target-pop-up

  3. Click Save.

    save-target

    The target is added to the group and is displayed in the Targets section.

    target-list

  4. Perform the steps 1, 2, and 3 for adding another target.

  5. Click Save group.

    save-group

    The Group created successfully message is displayed and the target group appears on the Target groups page.

Editing Targets in Target Group

If you want to edit the target information, click the gray color Edit icon.

edit-target-details

Deleting Targets in Target Group

To delete a target, click the red color Delete icon for the target that you want to delete.

delete-target

Deleting a target from a program will effectively change the scope and bounty brief.

Removal of Program Targets: If your program has yet to launch live, both targets in and out of scope may be removed. If your program is currently running live, ONLY out of scope targets may be removed.

The ability to remove targets are limited to specific role based access:

  • Only Organization Owners and Program Admin may remove or edit a target on a single program.
  • Only Organization Owners may remove targets entirely from the platform in the target directory page.

Removing a Target: Removing a target from a program will no longer allow researcher to submit vulnerabilities against the removed target until the target has been re-added to the program.

At this point, the target will be removed from the program brief, however, existing submissions attached to this target will be available within the submission inbox. In addition, all submissions attached to this target will be included in all metrics presenting in the Insights page.

Reordering Targets in Target Group

To reorder a target, click the two arrow icon, and drag-and-drop the target to the required position.

reorder-target

Removing Target Group

To remove a target group, follow these steps:

  1. On the Target groups page, click Edit for the target group you want to remove.

    target-group-on-page-edit

    The Edit target group page is displayed.

  2. Scroll to the end of the page and click Remove group.

    edit-target-group

    A message asking for confirmation is displayed.

  3. Click Remove.

    remove-group-pop-up

    The “Group deleted successfully” message is displayed and the target group is removed from the Target groups page.