Welcome to Bugcrowd's Product Documentation Center

You'll find comprehensive guides and documentation to help you start working with Bugcrowd as quickly as possible.

Program Owner Start-Up Guide

Getting a Bug Bounty Started on Crowdcontrol

Welcome to Crowdcontrol!

To get started, sign in and familiarize yourself with the The Crowdcontrol Navbar. Using this toolbar, you will be able to navigate through the platform to perform tasks such as adding new team members, updating the Program Brief, and managing the Submissions Page.

Step 1 - Invite team members to the program

Each Crowdcontrol role provides different visibility and job responsibilities for each member of your team. You can assign your team members the appropriate role based on the tasks you want them to perform. These roles may be adjusted at any point in time during your program.

To invite someone to a program, go to Program Settings > Manage team and click the Invite a team member button.

Step 2 - Assign a team member to monitor the program

It is important to understand that although Crowdcontrol makes it easier to run a bug bounty, your program requires consistent attention. Having at least one individual on your security team assigned to monitor the program is highly recommended. Running a bug bounty program is not the same as turning on a generic scanner whose results can be ignored until there’s time to address them or a penetration test which delivers results on a predetermined date. Neglecting researcher submissions will do you no favors, and will undermine the potential success of your program.

Step 3 - Make your organization aware of the program

Running a bounty program doesn’t just stop at that one person you have managing the day to day of the program. It’s also critical that the entire organization is aware of the bounty program, and policies are in place across departments.

You should have processes in place to ensure the timely processing and remediation of found issues, as well as prioritization guidelines over existing work. This will likely require working directly with multiple project owners, developers, and so on. And while it's most important that the technical folks are well informed and directed, it’s also important that you understand the extent to which this will affect other departments. For example, marketing or sales folks should be aware of testing on public website forms, customer service folks should be prepared to field related questions, etc.

More Info

For more info on this topic, please review the process of the Bug Bounty Lifecycle.

Step 4 - Review your attack surface

Before getting started, know your attack surface. Initiate extensive audits of your apps and libraries to help you understand where and how you’re vulnerable, and identify what is most important to your business.

Step 5 - Build your bounty program brief

Although Bugcrowd will assist you with this process, we always recommend you take the first step in building the initial framework of your bounty brief. By going to our Public Programs list you can see examples of bounty briefs. To edit your brief, navigate to the settings tab on the Crowdcontrol toolbar.

More Info on Building a Great Bounty Brief

Step 6 - Import known issues

Prior to the launch of your program, import all known issues into Crowdcontrol using a properly formatted .csv file. It is important for Crowdcontrol to identify these known issues to help filter any incoming duplicate submissions upon the launch of your program.

More Info

To learn more about importing known issues, please review the 'Known Issues Imports' page.

Step 7 - Set up integration

Crowdcontrol has the ability to integrate with a number of different applications, depending on your business needs. We recommend integrating your ticketing system and SSO (single sign-on) application first. Ticketing integration will help streamline the 'need to fix' vulnerability notification process directly to your development team.

More Info

Learn more about how to integrate your ticketing system:

Learn more about how to integrate your SSO application:

Now that you have gone through our Program Owner Start-Up Guide, we recommend that all users who will be working within Crowdcontrol review the User Start-Up Guide.