Disclosing Submissions

Submission reports that have been approved for Coordinated Disclosure can be shared externally. In addition, disclosed reports are visible to the public in CrowdStream and contain a summary that you and the Program Owner have provided; this disclosure summary includes information such as program name, submission title, reward amount, VRT priority, and a timeline of activity in this submission.

You can request a disclosure only if the Program Owner has enabled disclosure in CrowdStream setting. For more information on configuration, see enabling disclosed submissions in CrowdStream.

When you disclose a submission publicly, your profile photo (avatar) from your private profile will also be revealed along with your username.

It is recommended to submit disclosure request for resolved vulnerabilities.

When you create, update or cancel the disclosure request, the Program Owner is notified. The Program Owner may choose to request changes to your summary, decrease your preferred disclosure level or deny disclosure. When the disclosure request is approved or denied, you will be notified and the Disclosure request section in the submission displays the notification message.

Requesting Disclosure

Go to Submissions tab, click the submission for which you want to disclose the report, and click Request disclosure. Make sure to read the public disclosure policy.

request-disclosure

Adding Message for Customer

In Message to customer, provide a reason for the disclosure request. This message will not be visible to the general public if you are given the permission to disclose this report. You can style your text using the Markdown syntax. For more information, see using markdown for formatting content

message for the customer

Adding Disclosure Summary

In Summary to be published, provide the details of your submission. This message will be visible to the general public if you are given the permission to disclose this report.

You can style your text using the Markdown syntax. For more information, see using markdown for formatting content.

disclosure-summary

Selecting Disclosure Level

In Disclosure level, select one of the following options:

  • Full visibility: Full report details are visible to the public. It includes vulnerability information, summary, and complete timeline (comments and attachments).
  • Limited visibility: Summary and timeline with comments are visible to the public.

disclosure-level

Submitting Disclosure Request

After providing the disclosure summary and selecting the disclosure level, click Submit request.

submit-request

The Disclosure request submitted message is displayed. The status of the disclosure is changed to Pending review. A notification is sent to the program owner to approve the request.

After the program owner approves the disclosure request, the submission will be displayed in CrowdStream activity feed.

The following image shows a disclosed submission in CrowdStream. The user name and the reward amount is displayed based on your CrowdStream settings. For more information about CrowdStream settings, see setting CrowdStream visibility options.

crowdstream-feed

Editing Submitted Disclosure Request

Before approving your request, Program Owners may request changes to your summary or you may want to update the summary and resend the request.

To edit the submitted disclosure request, click Edit summary.

edit-summary

You can update Message to customer and Summary to be published sections and click Save summary. You cannot change the Disclosure level.

save

The Disclosure request updated message is displayed. A notification is sent to the Program Owner.

Cancelling Submitted Disclosure Request

To cancel a submitted disclosure request, click Cancel disclosure request as shown.

cancel-request

The following pop-up message is displayed. Click Cancel request.

cancel-pop-up

The Disclosure request cancelled message is displayed. Also, the message as shown in the following image is displayed for the submission.

cancelled-message

Viewing Approved or Denied Message from Program Owner

When the Program Owner approves the disclosure request, the following message is displayed in the Disclosure request section of the submission.

request-approved-message

You can click View disclosed report to view the submission report that is published. The following screenshot shows a disclosed report with full visibility.

full-report

The following screenshot shows a disclosed report with limited visibility.

partial-report

When the Program Owner denies the the disclosure request, the following message is displayed in the Disclosure request section of the submission.

request-denied

Onboarding Expand to see sub-pages
Account Management Expand to see sub-pages
Security Program Management Expand to see sub-pages
Invites Expand to see sub-pages
Engagement Management Expand to see sub-pages
Engagement Brief Expand to see sub-pages
Submission Management Expand to see sub-pages
Receiving Rewards Expand to see sub-pages
Disclosure Expand to see sub-pages
Visit bugcrowd.com