Welcome to Bugcrowd's Product Documentation Center

You'll find comprehensive guides and documentation to help you start working with Bugcrowd as quickly as possible.

Target Management

A target may be any web application, mobile application, API, IOT device, hardware or website you want to include in any of your bounty programs.

Targets added to the Organization Target Directory are added at an Organization Level as a part of a customer's Crowdcontrol target repository. The targets added to the Organization Target Directory may be used on any of the customer's bounty programs run on Crowdcontrol.

Adding Targets At An Organization Level

An 'Organization Owner' may add a number of targets to Crowdcontrol by navigating to the 'Organization Settings' page. To do this, click on the gear icon in the upper right-hand corner.

Select the 'Target Directory' tab.

To add a target to the 'Target Directory' click in the blank space as seen below and enter in the desired target to be added. After the target is entered, click on the '+' icon on the far right to add it to the 'Target Directory'.

List each target your organization would like to test. Targets listed here will be assignable to any of your organization's programs on Crowdcontrol.

Target Directory - Adding a New Target

Target Directory - Adding a New Target

Assigning Target Type

Next, after the target has been added to the 'Target Directory', assign the appropriate target 'type' and 'business impact' by using the drop down arrows as seen in the image below.

Assign Target Type & Business Impact

Assign Target Type & Business Impact

Categorize the target based on one of the seven different types of targets provided in the drop down menu. Select the type that best fits your target, categories include website, API, IOS, Android, IOT, hardware, and other.

Assign Target Type

Assign Target Type

To assign 'Business Impact' assess your targets and rate each one based on which target would have the most impact on your business if compromised. Much like threat modeling, consider variables such as - the accessibility of the target, is sensitive information present, high or low traffic, etc - to determine whether it should be set as a High, Medium, or Low impact target.

Assigning Target Business Impact

Assigning Target Business Impact

Attention: Changing Target Type or Business Impact

Although Organization Owners may change a target's 'type' or 'business impact' at any time, keep in mind that these fields will be changed on that specific target across all programs on Crowdcontrol.

Adding Targets On A Program Level

A 'Program Administrator' may search and add a number of targets to a program from the 'Organization Target Directory' by navigating to the 'Program Settings' page. To do this, click on the 'Settings' tab on the Crowdcontrol Navbar

Attention: Feature Restriction

Targets may only be manually added and removed by a user before a program has been launched live. Once the program has been launched live, the customer must contact customer@bugcrowd.com to add or remove any targets.

Program Settings

Program Settings

Select the 'Program Scope' tab.

Program Scope

Program Scope

Search for the target to assign to the program in the blank space.

Search Target Directory

Search Target Directory

Select the target you wish to assign to the program. Once selected, click the '+' icon on the right-hand side to add the target.

Select and Assign Target to Program

Select and Assign Target to Program

New Targets: Adding New Targets At A Program Level

New targets that have yet to be added to the Organization Target Directory can be added to a program by typing the new target in the blank search space. Once the target has been entered, set the target 'type' and 'business impact' level before clicking the '+' icon to add the target.

The target, its target 'type' and 'business impact' will automatically be uploaded into the Organization Target Directory.

Set Target In or Out Of Scope

Next, use the drop down arrow in the 'scope' field to identify whether the target is in scope or out of scope.

Scoping Targets: What's In and What's Out?

Use the following three resources to help better understand and identify which targets should be set in or out of scope:

The Anatomy of a Bounty Brief
Creating a Scope
Defining Exclusions

Target Scope

Target Scope

Targets will be clearly labeled as 'In Scope' or 'Out of Scope' on the bounty brief as shown in the image below.

Target Scope - Program Brief

Target Scope - Program Brief

Reordering Targets in a Program

The order your targets appear on your program brief and submission form can increase their visibility to researchers. To increase awareness around critical targets, you may want to arrange them based on their business impact. Of course, you can arrange them in any order that makes the most sense to your program.

To reorder the targets in a program:

  1. Go to Settings to view your program settings.
  2. Go to the Program Scope tab. The Program Scope lists all of the targets that can be tested in your program.
  3. Find the target you want to move.
  4. Use the Drag button in the Actions column to move the target to its new position in the list.

When you are done, you can go to your program brief to verify that the targets have been reordered and categorized based on scope.