Public Disclosure Policy

Vulnerability Disclosure at Bugcrowd
Coordinated Disclosure
Nondisclosure
Custom Disclosure
Program Disclosure
Accidental Disclosure: Insecure POC video sharing

Vulnerability Disclosure at Bugcrowd

Bugcrowd believes that the coordinated, orderly, public disclosure of vulnerabilities is a healthy and important part of the vulnerability disclosure process. The following disclosure policies apply to all submissions made through the Bugcrowd platform (including New, Triaged, Unresolved, Resolved, Duplicates, Out of Scope, Not Applicable, and Won’t Fix submissions). Program Owners and researchers are encouraged to work together for sharing information in a mutually agreed manner. This section explains disclosure options at Bugcrowd to both Program Owners and Crowd members.

Additional Resources:

Coordinated Disclosure

Coordinated Disclosure is the default recommended policy for all new public programs, and is strongly recommended but optional for ongoing private bounty programs. In this model, Program Owners commit to allowing researchers to publish mutually agreed information about the vulnerability after it has been fixed. Program Owners require explicit permission to disclose in the submission record. This applies to all the submissions for the program, regardless of validity or acceptance.

In the principle of Bugcrowd’s Coordinated Disclosure, researchers can externally disclose limited or full disclosures approved by Program Owners.

Bugcrowd’s Coordinated Disclosure allows Program Owners and Researchers to work through the disclosure process, during which, all parties must agree for a date and the disclosure level (limited or full) for a vulnerability or exploit to be disclosed. Once the vulnerability or exploit is disclosed on Bugcrowd’s platform, the Researcher can disclose the vulnerability or exploit publicly as long as it adheres to the agreed type of disclosure - limited or full, and any other parameters agreed for the disclosure.

When you disclose a submission publicly, your profile photo (avatar) from your private profile will also be revealed along with your username.

Nondisclosure

Nondisclosure is the default policy for OnDemand and continuous Next Generation Penetration Testing. It is common in private bounty programs. In the absence of a Coordinated or Custom Disclosure policy (or in the case of any ambiguity) the expectation of the Researcher and the Program Owner is nondisclosure. This is documented in our standard disclosure terms and researcher code of conduct. **This means no submissions may be publicly disclosed at any time and is designated by the following text in the program bounty brief:

Custom Disclosure

In some cases, Bugcrowd customers customize disclosure requirements in their bounty brief. An example of that is Tesla, which states:

Program Disclosure

The existence or details of private programs must not be communicated to anyone who is not a Bugcrowd employee or an authorized employee of the organization responsible for the program.

If there is a conflict between the disclosure terms listed on a Program’s brief and the Bugcrowd Standard Disclosure Terms, the Program Brief supersedes the Bugcrowd’s terms. If you have any questions, submit a support ticket through the Bugcrowd Support Portal.

It is recommended to include a video or screenshot as Proof-of-Concept in your submissions. These files should not be shared publicly. This includes uploading to any publicly accessible websites (that is, YouTube, Imgur, and so on). If the file exceeds 100MB, upload the file to a secure online service such as Vimeo, with a password. For more details, see reporting a bug documentation.