Welcome to Crowdcontrol!
To get started, sign-in and familiarize yourself with the The Crowdcontrol Navbar ]. Using this toolbar, you will be able to navigate through the platform to perform tasks such as adding new team members, updating the Program Brief , and managing the Submissions Page..
Identify the members of your security team you'd like to participate in the program. Understand the Crowdcontrol role types, as each one permits different visibility and job responsibilities to each member of your team. Assign your team members with the appropriate role upon invite. These roles may be adjusted at any point in time during your program.
To learn more on how to invite team members to Crowdcontrol, review the 'Adding New Team Members' page.
It is important to understand that although Crowdcontrol makes it easier to run a bug bounty, your program requires consistent attention. Having at least one individual on your security team assigned to monitor the program is highly recommended. Running a bug bounty program is not the same as turning on a generic scanner whose results can be ignored until there’s time to address them or a penetration test which delivers results on a predetermined date. Neglecting researcher submissions will do you no favors, and will undermine the potential success of your program.
For more info on this topic, please review our blog post Starting a Bug Bounty Program, Step-0.
Running a bounty program doesn’t just stop at that one person you have managing the day to day of the program. It’s also critical that the entire organization is aware of the bounty program, and policies are in place across departments.
You should have processes in place to ensure the timely processing and remediation of found issues, as well as prioritization guidelines over existing work. This will likely require working directly with multiple project owners, developers, and so on. And while it's most important that the technical folks are well informed and directed, it’s also important that you understand the extent to which this will affect other departments. For example, marketing or sales folks should be aware of testing on public website forms, customer service folks should be prepared to field related questions, etc.
Before getting started, know your attack surface. Initiate extensive audits of your apps and libraries to help you understand where and how you’re vulnerable, and identify what is most important to your business.
For more info on this topic, please review Starting a Bug Bounty Program, Step-0
Although Bugcrowd will assist you with this process, we always recommend you take the first step in building the initial framework of your bounty brief. By going to our Public Programs list you can see examples of bounty briefs. To edit your brief, navigate to the settings tab on the Crowdcontrol toolbar.
More Info on Building a Great Bounty Brief
Prior to the launch of your program, import all known issues into Crowdcontrol using a properly formatted .csv file. It is important for Crowdcontrol to identify these known issues to help filter any incoming duplicate submissions upon the launch of your program.
To learn more about importing known issues, please review the 'Known Issues Imports' page.
Crowdcontrol has the ability to integrate with a number of different applications, depending on your business needs. We recommend integrating your ticketing system and SSO (single sign-on) application first. Ticketing integration will help streamline the 'need to fix' vulnerability notification process directly to your development team.
Now that you have gone through our 'Program Owner Start-Up Guide' we recommend that all users who will be working within Crowdcontrol review the 'User Start-Up Guide.'