A target may be any web application, mobile application, API, IOT device, hardware or website you want to include in any of your bounty programs.
Targets added to the Organization Target Directory are added at an Organization Level as a part of a customer's Crowdcontrol target repository. The targets added to the Organization Target Directory may be used on any of the customer's bounty programs run on Crowdcontrol.
An 'Organization Owner' may add a number of targets to Crowdcontrol by navigating to the 'Organization Settings' page. To do this, click on the gear icon in the upper right-hand corner.
Select the 'Target Directory' tab.
To add a target to the 'Target Directory' click in the blank space as seen below and enter in the desired target to be added. After the target is entered, click on the '+' icon on the far right to add it to the 'Target Directory'.
List each target your organization would like to test. Targets listed here will be assignable to any of your organization's programs on Crowdcontrol.
Target Directory - Adding a New Target
Next, after the target has been added to the 'Target Directory', assign the appropriate target 'type' and 'business impact' by using the drop down arrows as seen in the image below.
Assign Target Type & Business Impact
Categorize the target based on one of the seven different types of targets provided in the drop down menu. Select the type that best fits your target, categories include website, API, IOS, Android, IOT, hardware, and other.
Assign Target Type
To assign 'Business Impact' assess your targets and rate each one based on which target would have the most impact on your business if compromised. Much like threat modeling, consider variables such as - the accessibility of the target, is sensitive information present, high or low traffic, etc - to determine whether it should be set as a High, Medium, or Low impact target.
Assigning Target Business Impact
Attention: Changing Target Type or Business Impact
Although Organization Owners may change a target's 'type' or 'business impact' at any time, keep in mind that these fields will be changed on that specific target across all programs on Crowdcontrol.
A 'Program Administrator' may search and add a number of targets to a program from the 'Organization Target Directory' by navigating to the 'Program Settings' page. To do this, click on the 'Settings' tab on the Crowdcontrol Navbar
Attention: Feature Restriction
Targets may only be manually added and removed by a user before a program has been launched live. Once the program has been launched live, the customer must contact email@example.com to add or remove any targets.
Select the 'Program Scope' tab.
Search for the target to assign to the program in the blank space.
Search Target Directory
Select the target you wish to assign to the program. Once selected, click the '+' icon on the right-hand side to add the target.
Select and Assign Target to Program
New Targets: Adding New Targets At A Program Level
New targets that have yet to be added to the Organization Target Directory can be added to a program by typing the new target in the blank search space. Once the target has been entered, set the target 'type' and 'business impact' level before clicking the '+' icon to add the target.
The target, its target 'type' and 'business impact' will automatically be uploaded into the Organization Target Directory.
Next, use the drop down arrow in the 'scope' field to identify whether the target is in scope or out of scope.
Scoping Targets: What's In and What's Out?
Targets will be clearly labeled as 'In Scope' or 'Out of Scope' on the bounty brief as shown in the image below.
Target Scope - Program Brief
The order your targets appear on your program brief and submission form can increase their visibility to researchers. To increase awareness around critical targets, you may want to arrange them based on their business impact. Of course, you can arrange them in any order that makes the most sense to your program.
To reorder the targets in a program:
- Go to Settings to view your program settings.
- Go to the Program Scope tab. The Program Scope lists all of the targets that can be tested in your program.
- Find the target you want to move.
- Use the Drag button in the Actions column to move the target to its new position in the list.
When you are done, you can go to your program brief to verify that the targets have been reordered and categorized based on scope.