The Program Brief provides information about the bounty program. You can specify details such as brand color, organization logo, program name, tagline, description, targets, rewards, and known issues. You can also request the safe harbor status and update the Crowdstream settings. Researchers read the Program Brief to understand the scope and purpose of the program, and view the targets that you want them to test.
- Navigating to Program Brief
- Setting your brand color and organization logo
- Specifying program name, tagline, and description
- Adding target information
- Adding program rewards
- Displaying known issues
- Requesting Safe Harbour status
- Updating Crowdstream settings
- Previewing Program Brief
- Saving Program Brief information
Go to the program's Settings tab. The Program brief page is displayed.
To set the brand color, in the Your brand section, click within the displayed text box (top right corner) and specify the hex value for the required color.
To change the organization logo, click on the displayed the logo and choose the new logo.
In the Your brief section, specify the information for the fields provided in the following table.
Descriptive name for the bounty program such as the name of your company or the application that is being tested.
Short sentence that concisely describes your company, product, or bounty program.
Details about the goal of your bounty program.
To style your text, you can apply the Markdown syntax. For more information, see using markdown for formatting content.
For the Tagline and Description examples, see public program listing.
A target is a Web application, mobile application, API, IoT device, hardware, or a website you want to include in your bounty program.
You can add or remove targets manually before a program is live. After the program is live, contact [email protected] to add or remove any targets.
To specify the target information, in the Your brief section, provide information about the program scope including details about the added targets. Emphasize explicitly the in-scope targets, out-of-scope targets, focus areas, and so on. To style your text, you can apply the Markdown syntax. For more information, see using markdown for formatting content.
You can add targets in the Program scope tab. For more information about targets, see target management.
You can specify the payment ranges that the researchers can expect based on the technical severity of the submission. The reward amounts are applicable for valid submissions when the submission moves to the Unresolved state. Unrewarded severity categories are left blank.
To add the reward ranges, in the Reward ranges by severity section, specify the reward amount in the Low reward and High reward fields for the technical severity level. The minimum monetary reward is $20.
In the Maximum advertised reward field, specify the maximum reward (more than the highest P1 reward) that the organization will pay for an exceptional submission.
You can display the count of unique and duplicate vulnerabilities in the Program Brief. It includes P1 to P4 submissions in Triaged, Unresolved, Won’t fix, and Duplicate states.
To display the known issues in the Program Brief, select the Show Known Issues on program brief option.
To clearly indicate safe harbor terms to researchers, you can set and view the program's safe harbor status within Crowdcontrol.
Before requesting for the safe harbor status, make sure that you have met the following requirements for safe harbor compliance:
- Extending Safe Harbor requires the following authorization and exemptions:
- Authorization in accordance with Computer Fraud and Abuse Act (CFAA)
- Exemption from Digital Millennium Copyright Act (DMCA)
- Exemption from restrictions in Terms and Conditions that may interfere with conducting security research
- Identify all in-scope assets so that there is no ambiguity around ownership and scope
- Disclosure Policy
- Display the program's policy to help researchers understand the program
Any program on Crowdcontrol automatically completes the following requirements:
- Whether compensation is provided for (valid and unique) issues, and the form and magnitude of that compensation
- Official Communication Channels
- Exhaustive list of the communication methods that are considered acceptable by the organization for receiving and communicating any information associated with potential vulnerabilities
- Explicit permission to complete research
After these are set, researchers can view the program's status and filter by those with a full and partial safe harbor to make sure they are working on programs that provide them the legal measures they prefer.
After you have met the preceding requirements, in the Program sage harbor status section, click Request safe harbor update to update the safe harbor compliance for the program.
CrowdStream is Bugcrowd's public activity feed and displays the activities for rewarded submissions, accepted submissions, resolved submissions, and co-ordinated disclosures. You can perform the following:
- Enable CrowdStream Visibility for Program
- Enable or disable researchers to request submission disclosure
For further information, see setting CrowdStream activity feed visibility.
After you have provided all the required information, click Generate brief preview.
Click Preview program brief. A preview of the updated Program Brief opens as a separate page and displays the information in the way it will appear to the researcher.
Caution: Preview Link
The preview link does not expire and may be used by anyone who retrieves this link. Anyone who has this link may participate in the bounty program, even if it is private. This link is for internal use only and should not be distributed to outside researchers.
To clear the preview link, click Clear preview link.
To save the information you have provided in the various sections, click Update program.
The Program Brief is updated and the researcher can view this information.
Updated about a month ago