[ { "title" : "Researcher Changelog", "category" : "researcher", "tags" : "", "url" : "/researchers/changelog/", "date" : "", "content" : "Subscribe to updates at https://docs.bugcrowd.com/feed/changelogs/researcher.xml. Sep 16th, 2020 Just for You - Program Recommendations Added Viewing just for you programs Sep 15th, 2020 Discover Programs Added Discovering Programs Sep 12th, 2020 2FA Backup Codes in Platform Added Enabling backup codes for 2FA configuration Jun 18th, 2020 Payments Through Bank Transfer Added Setting Up Bank Transfer payment method Apr 3rd, 2020 Waitlisted Programs Added Waitlisted programs Word counter in submission form Mar 3rd, 2020 Joinable Program Added Joinable programs Dark Mode 90-day Priority Percentile within one’s dashboard Improved Programs filters moved to a dropdown Updated Disclosure enabled by default for new programs Dec 19th, 2019 Achievement Badges Added Researcher Achievement Badges Priority Percentile now available within your profile Dec 19th, 2019 CrowdStream and Coordinated Disclosure Added Viewing activity feed in CrowdStream Disclosing submission report summary Nov 5th, 2019 Program Feedback when Ignoring or Hiding Added Ignoring invitation or hiding program Updated Researcher Avatar visible to submitted programs Oct 11th, 2019 Submission Retesting Added Retesting Submissions View Payments and Points in Filtered Submission Results Aug 2nd, 2019 Certificates Added Adding certifications Jul 24th, 2019 Safe Harbor Added Researchers can filter by program’s safe harbor status within program search Jun 17th, 2019 Researcher Collaboration Added Researcher Collaboration May 7th, 2019 Public Program Credential Support and Improved Target Management Improved Public Programs can now support credentials Apr 11th, 2019 Image Embeds Added Image Embeds in Submissions and Comments Apr 2nd, 2019 Payoneer Update Improved Payoneer Apr 1st, 2019 Program Search Launched Added Program Search Mar 14th, 2019 Updating to VRT 1.7 Added Automative Security Misconfiguration category Sensitive Data Exposure &gt; Weak Password Reset Implementation &gt; Token Leakage via Host Header Poisoning as a new P2 variant, which is consistent with how this issue has been triaged by Bugcrowd’s Application Security Engineers so far. Two new P4’s related to 2FA Secret Management Improved Remediation Advice links to latest OWASP Documentation Dec 17th, 2018 Payments Update Added Payments Dec 17th, 2018 File Support Update Improved Platform supports 100MB for all file uploads Nov 2nd, 2018 Updating to VRT 1.6 Improved VRT 1.6 Oct 30th, 2018 Point Reward System Better Aligns Expectations and Acknowledges Researchers for Their Hard Work Added Won’t Fix submissions are rewarded points Payments Fixed Email notifications on updates for Researchers Oct 26th, 2018 Updating to VRT 1.5 Improved VRT 1.5 Sep 24th, 2018 Crowdcontrol Improves Adjusted Payment Workflow Added Adjusting mistaken rewards workflow updated Sep 19th, 2018 Added Platform Usability and Preference Control Added Pending Invitations filter Pause Pending Payments Sep 18th, 2018 Improvements Made to Boost Submission Workflow Efficiency Improved Submission Blockers Aug 15th, 2018 Crowdcontrol Usability More Intuitive Improved Identify Bugcrowd employees in activity feeds with a new icon identifier Aug 7th, 2018 Hacker Education with Bugcrowd University Added Bugcrowd University Jul 10th, 2018 Improved Platform Usability Improved Tokenized search Jul 3rd, 2018 Advanced Crowdcontrol UX Added Unique Avatars updated label on the Programs page, to highlight recently updated programs. Bugcrowd ninja forwarding now includes the to email address to allow sub-domains. Quick links panel in Researcher dashboard Leveraging program or user images for unfurling. Improved Use Crowdcontrol on the go, now with a responsive navigation bar. Notifications show below the customer state dropdown, so you can quickly change states, without needing to dismiss. Jul 2nd, 2018 Enhanced Security Tracking Capability Added Security Event Logers Jun 19th, 2018 Updating to VRT 1.4 Added VRT v1.4 is shipped Apr 17th, 2018 Heightened Platform Security and Usability Added Remove timeout, instead using re-authentication prompts. Interactive Session Management UI Improved Added SSO indicators for authentications within the Session Management interface Apr 16th, 2018 Crowdcontrol Increases Visibility Added Known Issue Sharing bugcrowd.com/changelog Feb 15th, 2018 New Crowdcontrol Enhancements Add Improved Platform Efficiencies Added Search by Custom Fields with the Submission Search Bar Search result number count when using the Submission Search Bar Insights filter toggle - offering a clean display for sharing data on TVs Improved Page design refreshes on the ID Verification and Payment Method Configuration pages Jan 17th, 2018 Improved Program Performance Tracking and Platform Efficiency Added Program performance metric to Program Page (Time to Validation) VRT Categories to Tokenized Search Dec 21st, 2017 Enhanced Security &amp; Improved Functionality Offer Seamless Usability Added Platform Security – Implemented CSP protections Filter by the Submitted Date (Tokenized Search) Filter by the date a submission was awarded points (Tokenized Search) Filter by the date a submission was awarded payment (Tokenized Search) Nov 21st, 2017 New Submission Search Bar and Filtering Added Advanced submission filtering is live Improved Text search within Crowdcontrol is now more accurate in filtering for exactly what you search for, no longer trying to handle misspellings. Oct 4th, 2017 Introducing VRT 1.3 Improved VRT v1.3 is shipped Jul 26th, 2017 VRT Goes Open Source Added VRT gem is now open sourced Jul 6th, 2017 Improved Clarity and Workflow Improved Researchers can now upload an attachment to a comment New and Triaged submissions can be auto-assigned to a team member Feb 15th, 2017 Comparison Operators for Dates Improved Tokenized date search " } , { "title" : "Account Settings", "category" : "researcher", "tags" : "account-management", "url" : "/researchers/managing-account/account-settings/", "date" : "", "content" : "Your Bugcrowd Account Settings include the following information: Profile: Customize your username, avatar, certifications, and what social links are shown on your public profile (if enabled) Account: Share your legal name and mailing address for use on hardware or NDA programs; you can also set your t-shirt size Payment methods: Connect available payment options or change your preferred method Security: Manage your Sessions; enable 2FA or view the Security Event Log for your profile Identity verification: Complete the optional Identity Verification process to qualify for additional programs" } , { "title" : "Account Settings > Adding Your Resume", "category" : "researcher", "tags" : "", "url" : "/researchers/managing-account/account-settings/adding-your-resume/", "date" : "", "content" : "You can create your resume on Bugcrowd that includes sections such as Summary, Experience, Education, Security Testing, and Certifications. Your resume is supporting evidence to speed up your application for waitlisted programs. You can enter it once and use it on all future applications. Bugcrowd also uses your resume as input when finding researchers to invite for specific engagements that require special skills or professional experience (which is not for all private programs). Keeping your resume up-to-date will help your applications and invitations flow.Your resume information is not visible in your public profile.To create your resume: Go to Account settings and then click Resume. The Resume page is displayed. Provide the following information: Summary: Brief description about yourself, your level of experience, and your key skills. Experience: Specify relevant experience. Education: Provide any courses or learnings you have completed or are currently pursuing. Security testing: Specify any relevant projects you have completed. Certifications: List relevant certifications that you have acquired. You can use markdown format to style your text. For information about markdown format, see using markdown for formatting-content. Click Save resume to save the information. " } , { "title" : "Account Settings > Changing Account Password", "category" : "researcher", "tags" : "", "url" : "/researchers/managing-account/account-settings/changing-account-password/", "date" : "", "content" : "To change your account password: Go to Update your password page. Specify the New password and Confirm new password. Your password must contain minimum of eight characters, random words, and a combination of upper and lowercase letters, numbers, and special characters. Click Update password. The password will be updated. " } , { "title" : "Account Settings > Connecting Your GitHub and Stack Overflow Accounts", "category" : "researcher", "tags" : "", "url" : "/researchers/managing-account/account-settings/connecting-github-and-stack-overflow-accounts/", "date" : "", "content" : "You can expand your program opportunities by connecting to the following accounts: GitHub account Stack Overflow accountCrowdcontrol utilizes pre-existing information about your security and development skills to recommend the best matching programs. You can now connect your external social profiles to Bugcrowd. The integrations use OAuth to actively include any changes from other social profiles into Bugcrowd, allowing for a dynamic collection of all your information. It is always up-to-date. Bugcrowd takes privacy of your information seriously, so the social profile linking is optional and you can opt-in for it. The integration only uses public information from these sources to decorate your profile and recommend programs to you.To enable this, go to your Profile page &gt; Portfolio Accounts, and click Connect an account. You can connect your Bugcrowd profile to Github, StackOverflow, and PentesterLab.Connecting Your GitHub Account Go to your profile and click Account Settings. The Profile page is displayed. Click Portfolio Accounts. The Portfolio Accounts page is displayed. Click Connect an account. Click GitHub. The Authorize Bugcrowd page is displayed. Click Authorize bugcrowd. You will be redirected to https://bugcrowd.com. After the external profile is connected, the External profile connected message is displayed and the Portfolio Accounts page displays the connected GitHub account. Connecting Your Stack Overflow Account On the Portfolio Accounts page, click Connect an account and then click Stack Overflow. You will be redirected to https://stackoverflow.com. Log in using your Google account, GitHub account, or Facebook account. If you do not have an account you can click Sign up and create an account. After you log in, the following page is displayed. Click Approve to authorize Bugcrowd. After the external profile is connected, the External profile connected message is displayed and the Portfolio Accounts page displays the connected Stack Overflow account. Unlinking Your External AccountTo unlink your GitHub or Stack Overflow accounts: On the Portfolio Accounts page, click Unlink account for the account you want to remove. A confirmation pop-up message is displayed. Click Unlink. The External profile disconnected message is displayed. " } , { "title" : "Account Settings > Deactivating Your Account", "category" : "researcher", "tags" : "", "url" : "/researchers/managing-account/account-settings/deactivating-your-account/", "date" : "", "content" : "If you no longer need to access or have a Bugcrowd account, you can deactivate your account. When you deactivate your account, you will no longer be able to log in to Bugcrowd. You will be removed from all leaderboards and will no longer have access to your account information. Any outstanding payments will still be processed.To deactivate your account: Go to the Account tab. Click Deactivate account. The Deactivate account pop-up window appears. Specify your password to confirm that you want the delete your account. You can also provide a reason for deactivating the account. Click Deactivate. Your account will be deactivated. If you click Deactivate at this stage you will loose access to your account. If you want to re-activate your account, then send an email to support@bugcrowd.com. " } , { "title" : "Account Settings > Setting Your Privacy", "category" : "researcher", "tags" : "", "url" : "/researchers/managing-account/account-settings/setting-your-privacy/", "date" : "", "content" : "Setting Your Profile’s VisibilityWhen you create a Bugcrowd account, you can set the profile visibility to any of the following: Public: Indicates that your username and all the details provided in your profile page is available publicly at https://bugcrowd.com/(your username), program hall of fames, and leaderboards. By default, the profile visibility is set as Public. Private: Indicates that your profile is available to only Bugcrowd and Customers that you submitted to but not publicly.To set your profile’s visibility, go to the Privacy tab.Move the slider to right to set your profile as Public or move it to the left to set your profile as Private. By default, it is moved to the right.To share your profile, use the https://bugcrowd.com/(your username) link.You can also set your profile visibility on the Dashboard. For more information, see setting your profile as public or private.Associating Your Details in CrowdStream ActivityYou can show or hide your details such as username and your rewards from individual submissions or with accepted submissions in CrowdStream. To do this, go to the privacy tab.Move the slider (as required) for the following options: Show username: Move the slider right to display your user name for the accepted submissions in the CrowdStream activity feed. Show rewards: Move the slider right to display the reward amount for the accepted submissions in the CrowdStream activity feed." } , { "title" : "Account Settings > Updating Your Account Information", "category" : "researcher", "tags" : "", "url" : "/researchers/managing-account/account-settings/updating-your-account-details/", "date" : "", "content" : "You can update your account details such as your name, email, timezone, and mailing address. You can also provide your T-shirt size so that Bugcrowd can send you swag.Updating Account DetailsTo update your account details: Go to the Account tab. Update the following information: First name Last name Account email (ISC)2 ID number: See adding (ISC)2 ID number Preferred Timezone: See editing time zone Click Update Profile to save your changes. Adding (ISC)2 ID numberIf you are an (ISC)² member, you can participate in Bugcrowd’s bug bounty programs in exchange for CPE credits. Specify the (ISC)2 ID Number if you have a certification from International Information System Security Certification Consortium (ISC)². Once your (ISC)² number is added, when you find a bug, you earn up to five CPE credits for each valid bug you have found, depending on the severity of the vulnerability.Editing Time ZoneYou can adjust the time zone to make sure the time stamps reflect your current time zone throughout Crowdcontrol.Updating Your Swag DetailsIf you want Bugcrowd to send you some swag, you must provide your Shirt size and Shipping address in the Swag details section on the Accounts page.Click Update profile to save the information." } , { "title" : "Account Settings > Updating Your Profile", "category" : "researcher", "tags" : "", "url" : "/researchers/managing-account/account-settings/updating-your-profile/", "date" : "", "content" : "Your profile contains details such as your username, your country, and biography. Also, you can add your Twitter, LinkedIn, and Website details to your profile, which will allow others to contact you easily. These links are displayed when your profile is set to public.Adding Your Personal Details Go to your profile picture and click Account settings. The Profile page is displayed. Provide the following information: Username: Alias for your identity Country of residence: Your location Twitter handle: Your Twitter username LinkedIn: Your LinkedIn profile URL Website: Your personal blog or profile website Biography: Introduce yourself, include your achievements and your hobbies. The character limit is 3500. You can style your text in markdown format. For markdown information, see markdown cheatsheet. Click Update profile to save your changes. Changing Your Profile PhotoYou can add any photo that represents and personalizes your account. However, if you choose not to add a profile photo, then a unique avatar is generated and assigned to your account.To change your profile photo: On the Profile page, click the camera icon on the left-side. The Upload avatar image pop-up window is displayed. Click Upload image and select the required image. The Upload avatar image window displays the selected photo. Click Save to save the image. The Profile avatar section will display the newly uploaded photo. Your profile picture is visible to the customer even if the profile is set as private. This occurs only for tracker interactions on your submissions. However, all researcher accessible and publicly available pages such as the Leaderboards, Hall of Fame, and other tabs will continue to display the a default icon that hides your account from others. " } , { "title" : "Account Settings > Verifying Your Identity", "category" : "researcher", "tags" : "", "url" : "/researchers/managing-account/account-settings/verifying-your-identity/", "date" : "", "content" : "In order to qualify for consideration for some private programs, you may consider having your identity verified. You can upload a copy of your approved identification document and take a well-lit photo of your face via the embedded portal for Netverify, a third-party provider we use to perform the identity check.You have two attempts to verify your identity.Step 1: Have Your Identification Document AvailableNetverify recognizes most passports, identity cards, or driver’s licenses as valid options that you can use as your identification document. The list of approved documents is at NetVerify’s discretion and all licenses or IDs should be a plastic card to be recognized by their system.Step 2: Go to Your Account Settings Log in to Bugcrowd and go to your account settings. Click the Identity Verification tab. Step 3: Start the Verification ProcessClick Start Identity Verification to begin the identification process.You will be redirected to Netverify. Click Start verification to begin the verification process through Netverify.Step 4: Select Your Country of CitizenshipEnter your document’s issuing country in the field below. If the Netverify supports the country, you will see a list of ID types.Choose the ID type you want to use to verify your identity.Step 5: Take a Photo of Your DocumentNetverify allows you to choose between uploading a scan of your document or taking a picture with your computer’s webcam.We strongly recommend that you take well-lit pictures and your document is visible. Your document and the photo on your document are used to process the second part of the verification. If these are not clear, then the verification will fail.Follow the instructions on the screen for the option that you choose.Step 6: Upload a Photo of the Front of your DocumentFollow the instructions on the screen for the option that you choose.Step 7: Take a photo of the Back of your document (if applicable)Follow the instructions on the screen for the option that you choose.If you have choosen passport as a verification document, then skip this step.Step 8: Take a Webcam Photo of Your FaceFollow the instructions on the screen for the option that you choose.Only take a photo of yourself with your webcam for this step: While Netverify’s system allows you to upload a photo for this step, it always fails the authorization. Hence, it is recommended to take a selfie. You have two attempts to verify your identity. If you have any problems or have used your attempts, send an email to support@bugcrowd.com.Step 9: Finish the Verification ProcessWhen your upload finishes, you will be redirected to Bugcrowd. It may take a few minutes for your identification to process, but when it completes, you will receive an email from support@bugcrowd.com confirming your successful identity verification and Completed will be shown as the status next to your verification attempt in your Bugcrowd researcher profile under Identity Verification.If you have another nationality you would like to verify, click on the Verify Another Identity button. We recommend that you verify yourself for each nationality you belong to by going through the same verification process steps again.You have two attempts to verify your identity. If you have any problems or have used your two attempts, send an email to support@bugcrowd.com." } , { "title" : "Enabling or Disabling Dark Mode", "category" : "researcher", "tags" : "account-management", "url" : "/researchers/managing-account/enabling-or-disabling-dark-mode/", "date" : "", "content" : "You can quickly turn the screen (browser) to a dark theme in Dark mode. It helps to reduce power usage by a significant amount, improves visibility for users with low vision and for those who are sensitive to bright light, and allows to view the screen in a low-light environment.This setting is persisted across all sessions for the account it is set on.To enable dark mode, click your profile picture and then click Dark mode (switch is Off).Dark mode changes to On and your screen’s background color changes to a dark color.To disable dark mode, click Dark Mode (switch is On).Dark mode changes to Off and your screen’s background color changes to lighter color." } , { "title" : "Performance Stats", "category" : "researcher", "tags" : "account-management", "url" : "/researchers/managing-account/performance-metrics/", "date" : "", "content" : "The Performance Stats section of your Researcher Dashboard provides the performance metrics for your submissions to the Bugcrowd platform. You can track your performance All time, Last 90 days, or Current month.The All time metrics are displayed by default. Click the Last 90 days tab to view the performance metrics for the last 90 days.The Performance Stats include: Vulnerability counts of valid submissions Accuracy of your submissions Priority percentile Rank Average severity of submitted vulnerabilitiesBugcrowd utilizes these stats to qualify Researchers for Private Program invites as well as our incentive programs on a quarterly and yearly basis." } , { "title" : "Performance Stats > Accuracy", "category" : "researcher", "tags" : "", "url" : "/researchers/managing-account/performance-metrics/accuracy/", "date" : "", "content" : "The Accuracy statistic indicates the percentage of submissions that are valid. It measures your ability to consistently submit valid vulnerabilities.Private Invites: The Private Program Invitation qualifications require that researchers have greater than 50% accuracy within a 90-day period.Accuracy is calculated by dividing your total number of valid vulnerabilities submitted over your total number of submissions. Valid submissions include Unresolved, Resolved, or Won’t Fix.Submissions that are Not Applicable are not used to calculate accuracy.Formula:% Accuracy = [(Valid Submissions)/(Valid Submissions + Invalid Submissions)] * 100" } , { "title" : "Performance Stats > Average Severity", "category" : "researcher", "tags" : "", "url" : "/researchers/managing-account/performance-metrics/average-severity/", "date" : "", "content" : "Average Severity indicates the level of impact a Researcher’s submissions have across the platform. It does not affect your ability to earn Private Program invites, but helps the Bugcrowd team to recognize outstanding researchers on the platform.The Average Severity section indicates your ability to submit high technical severity vulnerabilities. It is measured by adding the total number of submissions by its technical severity, based on a scale from 1 to 4 and dividing that number by total valid submissions.For example: 1 represents P1 (most critical vulnerability) 2 represents P2 3 represents P3 4 represents P4 (lowest critical vulnerability)P1 = 2, P2 = 0, P3 = 3, and P4 = 4Total number of submissions based on technical severity = 1+1+3+3+3+4+4+4+4 = 28Total number of valid submissions = 9Average technical severity = 28/9 = 3.11" } , { "title" : "Performance Stats > Priority Percentile", "category" : "researcher", "tags" : "", "url" : "/researchers/managing-account/performance-metrics/priority-percentile/", "date" : "", "content" : "Priority Percentiles are determined by the count of valid, non-duplicate submissions a researcher has made in comparison to the rest of the crowd.Percentiles are based on these Valid Substates: Won’t Fix, Unresolved, and Resolved.The Priority percentiles section displays both a graph and visual diagram displaying a researcher’s percentile relative to all other researchers. It shows the following: All five priority levels, displayed as a different color: P1, P2, P3, P4, and P5 Displays the percentile level in relation to all Researchers. The size of the bar and the percentile value indicates the percentile level.Each percentile is a comparison of a researcher’s submission volume to all other researchers over a specific period of time; the higher the percentile, the more submissions the researcher has for that priority level compared to others.You can view the priority percentile over time or within a certain time frame such as last 90 days. The All time metrics are displayed by default. Click the Last 90 days tab to view the priority percentiles for the last 90 days." } , { "title" : "Performance Stats > Rank", "category" : "researcher", "tags" : "", "url" : "/researchers/managing-account/performance-metrics/rank/", "date" : "", "content" : "Your Bugcrowd rank reflects your overall position in the crowd.Your rank is determined based on the total number of Kudos points you have earned for valid submissions compared to other researchers. The more points you have, the higher your rank.The following image displays the all-time points and the current rank." } , { "title" : "Performance Stats > Vulnerability Counts", "category" : "researcher", "tags" : "", "url" : "/researchers/managing-account/performance-metrics/vulnerability-counts/", "date" : "", "content" : "The Vulnerabilities section indicates the total number of valid submissions that are marked as one of the following Submission substates: Unresolved, Resolved, or Won’t Fix.Private Program Invitations: To qualify for private program invites, a researcher must have: Four submissions submitted to the Bugcrowd platform all-time One accepted P1-P3 submission to the Bugcrowd platform all-time (non-duplicate, unresolved or resolved)" } , { "title" : "Researcher Dashboard", "category" : "researcher", "tags" : "account-management", "url" : "/researchers/managing-account/researcher-dashboard-and-profile/", "date" : "", "content" : "The researcher Dashboard provides your profile details and an insight about your performance across all programs. It displays performance metrics that you can utilize to help you understand the necessary performance adjustments required to attain personal goals and achieve Bugcrowd accolades.Setting Your Profile as Public or PrivateYou can set your profile’s visibility as private or public. By default, it is set as public. For information to set your profile visibility, see setting your profile’s visibility.Verifying Your IdentityTo verify your identity, click Verify your identity. For more information, see verifying your identity.Viewing Your LocationYour location is displayed below your name.Viewing Your Points and RankYour Bugcrowd rank reflects your overall position in the crowd. Your rank is determined based on the total number of points you have earned for valid submissions compared to other researchers. The more points you have, the higher your rank.The following image displays the all-time points and the current rank.Viewing Your AchievementsBadges are visual tokens of achievement for the valid vulnerabilities that you have submitted. The achievement badges are displayed in the Achievements section in your profile. For more information, see viewing achievement badges.Viewing Reported VulnerabilitiesThe Reported vulnerabilities section displays a bar graph that provides a chronological view of your total number of submitted vulnerabilities (valid and non-valid) over all-time. You can view the reported vulnerabilities based on Severity or Volume.The following image shows the reported vulnerabilities based on severity.The following image shows the reported vulnerabilities based on volume.When you hover your mouse over the bar, the number of submissions for a given time period is displayed.Viewing Submission Type and SeverityThe Submission type and severity section displays the volume of submissions based on the target type (example, IoT, Website, API, iOS, Android, Hardware, Other, or Not Categorized) and provides a graph of their technical severity.Setting CrowdStream PreferencesYou can choose whether to display your user name and/or your rewards for a submission in CrowdStream activity feed. For information to configure the CrowdStream visibility settings, Viewing Program Activity Feed in CrowdStream.Viewing Quick LinksThe Quick links section provides quick access to valuable Bugcrowd resources such as platform documentation and program guidance.The following resources are provided: Code of conduct: Outlines the expected behaviour of all Bugcrowd community members participating in bug bounty programs, Bugcrowd online community offerings such as the Bugcrowd Community Forum, the Bugcrowd Researcher slack channel, BugBashes, and any other programs offered by Bugcrowd. Standard disclosure terms: Bugcrowd’s standard guidelines and rules of engagement for crowdsourced security program participation. This, along with the program bounty brief, outline rules and expectations to be followed when testing and submitting vulnerabilities for any program. Bugcrowd University: Quick access to security, education, and training for the whitehat hacker community. Platform resources: Quick access to news, guides, webinars, and other resources on Bugcrowd and the broader crowdsourced security industry. Documentation: Bugcrowd’s Crowdcontrol documentation helps you to understand the platform. Bugcrowd blog: All events happening at Bugcrowd such as new program announcements, product and feature launches, bug bounty education, and so on. Changelog: Lists important feature improvements and updates to the platform. Need help? Ask a Hacker: Access to the ask a hacker forum on Bugcrowd.Looking for more programsThe Looking for more programs? section outlines the requirements that must be met for researchers to be invited to private programs.Viewing Hall of FameWhen you have valid submissions, the Hall of Fame section is displayed on the right side of your profile. It shows the program icons for which you have qualified for Hall of Fame.In the following image: Total: Represents total number of programs for which you have qualified to receive Hall of Fame (both public and private). Private: Represents your total number of Hall of Fames received for private programs.On public profiles, the Hall of Fame section displays only public programs.nWhen viewing your own dashboard, then the private programs are also displayed in the Hall of Fame section.If the program is public, then when you hover your mouse on the Program’s icon, the program name and the number of points you have earned is displayed.Do Not Share Your Private Dashboard “Hall Of Fame” Publicly: Icons of Private Programs are shown in this view. If you share this image publicly, you are disclosing the existence of a Private Program, which is prohibited on Bugcrowd. The version on your Public Researcher Profile is safe and sanitized version, which may be shared across social media.For more information, see getting on a program’s hall of fame." } , { "title" : "Security", "category" : "researcher", "tags" : "account-management", "url" : "/researchers/managing-account/security/", "date" : "", "content" : "The Security page maintains the secure control of your Bugcrowd account and includes the following: Sessions and logouts: View and manage sessions and revoke access to old devices. Security event log: Review logs that contains information about your Bugcrowd account usage. Two-Factor Authentication (2FA): Enable, change, or disable 2FA for your account." } , { "title" : "Security > Managing Sessions and Logouts", "category" : "researcher", "tags" : "", "url" : "/researchers/managing-account/security/managing-sessions-and-logouts/", "date" : "", "content" : "Each time you log in to Bugcrowd from a unique device, a new active session is created for your account. The session tracks your IP address, operating system, and browser type, and allows you to remain logged into your account indefinitely. It allows you to complete your work without interruption that is you do not have to log in back into Crowdcontrol due to inactivity timeouts.A few pages in Crowdcontrol enforces re-authentication after two hours for security purposes. For example, if you want to modify your account or security settings, you must reauthenticate.If you are not trying to access or modify sensitive data, you remain logged in to Bugcrowd indefinitely.Viewing Active SessionsTo view all active sessions for your account: Go to your Account settings. Click the Security tab. The Sessions page displays the list of active sessions. The current session is indicated as Current session. Revoking a SessionTo revoke a session, on the Sessions page, click Revoke. You will be logged out of the session." } , { "title" : "Security > Using Two-Factor Authentication", "category" : "researcher", "tags" : "", "url" : "/researchers/managing-account/security/using-two-factor-authentication/", "date" : "", "content" : "Two-factor authentication (2FA) is a security measure that adds an additional step for your login process to protect your account. It requires you to enter your login credentials along with a secondary authentication code such as a pin that an authenticator sends to your phone.2FA Compliance: If you are participating in a program that has 2FA as a compliance requirement, then you will not be able to access program details, existing submissions, or submit any new report for that program until you enable 2FA. For details, see two-factor authentication compliance.Enabling 2FABugcrowd recommends enabling 2FA because the program may have sensitive information. In some cases, it may be required by the company that runs the program.To enable 2FA for your account: Go to your Account settings. Click the Security tab and then click Two-factor authentication on the left side. Install a 2FA app compatible for your device such as Google Authenticator. Click iPhone or Android based on the device you have and install Google Authenticator. In Configure the app, add your Bugcrowd account to your 2FA app in any of the following ways: Scan the displayed QR code using the app on your device. Manually enter the displayed code in the app on your device. The app on your device displays a 6-digit code. In OTP code, provide the 6-digit code. Click Enable 2FA. The 2FA is enabled for your Bugcrowd account and the Two-factor authentication is successfully enabled message is displayed. Logging in Using 2FAIf 2FA is enabled for your account, then each time you log in, you will be prompted to provide the authentication code (generated on your device) along with your username and password.Disabling 2FA On the Security tab, click Two-factor authentication on the left side . Click Disable two-factor authentication. 2FA is disabled for your Bugcrowd account and you will be redirected to the Login page. When you log in to Bugcrowd, you will not be prompted to provide the authentication code. A common issue with 2FA is if it is a new phone or phone is lost. For assistance, send am email to support@bugcrowd.com. Enabling Backup Codes for 2FA ConfigurationYou can save 2FA backup codes in advance for situations where you might lose access to your two factor authentication device and are not able to receive authentication codes. The backup codes will allow you to log in to your account and reset your two factor configuration.To enable backup codes: On the Two-factor authentication page, click View backup codes. The Two-factor backup codes page is displayed. Click Generate new backup codes. A pop-up message asking for confirmation appears. Click OK. The Successfully generated two-factor backup codes message is displayed. Also, a list of codes that you can use to login to your account is displayed. You can click Download to save the codes as a .txt file, click Print to save the codes as a PDF file, or click Copy to copy the codes to another file. Save these codes in a safe place, ideally in a password manager or a similar secure location. To regenerate the backup codes, click Generate new backup codes. " } , { "title" : "Security > Viewing Security Event Log", "category" : "researcher", "tags" : "", "url" : "/researchers/managing-account/security/viewing-the-security-event-log/", "date" : "", "content" : "The security event log displays when you have used your Bugcrowd account and logs select events. Generally, the log tracks new sessions, re-authenticated sessions, revoked sessions, and account updates such as a changes to your username, password, or payment details. For each event, you can view the date and type of activity that occurred.If you do not recognize an event or if you think it is suspicious, send an email to support@bugcrowd.com immediately. You can also revoke a session.To view the Security Event Log: Go to your Account Settings, and click the Security tab. The Security page is displayed. Click Events on the left side. The events associated with your account is displayed. " } , { "title" : "Becoming a Researcher", "category" : "researcher", "tags" : "Onboarding", "url" : "/researchers/onboarding/becoming-a-researcher/", "date" : "", "content" : "Bug bounty programs provide opportunities for you to find and responsibly disclose vulnerabilities to companies. In return, companies reward you for your contributions to acknowledge your efforts. Over time, you can build up your reputation as a highly qualified and reliable security researcher while earning cash, points, and swag.Who can be a researcherAnyone can sign up to be a researcher. To become a researcher, you need to create an account.Researchers can participate in any public bounty program that we run. However, some private programs may require that you go through identity verification before you can participate.What rewards can I getThere are two main rewards: Points: The Bugcrowd platform awards you these when you submit a valid vulnerability. The more points that you accumulate, the better chance you have of making it onto our Leaderboard and the Hall of Fame for a particular program. Monetary: Financial compensation that you receive from a company when you submit a valid vulnerability to their bounty program.For more information on rewards, see our page on getting rewarded.You can also earn cool gear and Swag with qualifying submissions, through our current programs for researcher incentives.What are the rulesBefore you get started, we strongly recommend that you read our code of conduct and standard disclosure terms to understand what is expected behaviour, before joining the Crowd and participating in programs.How will I be evaluated and measuredEach time you participate in a program and submit a valid vulnerability report, you have an opportunity to earn build your stats and reputation on the Bugcrowd platform.Your stats are a reflection of the quality of your written reports, the impact of your discoveries, your activity level, and the reputation you’ve built by following all of our terms and conditions: Code of conduct Standard disclosure terms Website terms and conditionsHow do I create an account Go to https://bugcrowd.com/user/sign_up. Fill out the form to create your account. Choose whether or not you want to make your profile publicly available. You can always adjust this later if you change your mind. Read and agree to the terms and conditions. The Bugcrowd platform will send an e-mail that contains confirmation instructions for your account. Follow the instructions outlined in the e-mail to finish creating your account. After you’ve validated your email, you can log in to Bugcrowd and start reporting vulnerabilities. Welcome to the Crowd" } , { "title" : "Following the Code of Conduct", "category" : "researcher", "tags" : "Onboarding", "url" : "/researchers/onboarding/consequences/", "date" : "", "content" : "The Bugcrowd code of conduct is one of the most important resources on Bugcrowd’s platform and provides guidelines to follow as a Researcher to successfully keep to a professional path. It is mandatory that you adhere to the code of conduct when working on a bounty or engaging with our community.Enforceable areas include (but are not limited to) UNPROFESSIONAL CONDUCT Disruptive behaviour/testing Aggressive and/or Abusive behaviour Abuse of reward systems within Bugcrowd DISCLOSURE Disclosure Threat Unauthorized Disclosure of a Private Bounty and/or Unauthorized Disclosure of a Submission’s vulnerability content What happens if I behave incorrectlyDepending on the context and severity of the incident, consequences can range from educational coaching to temporary or permanent loss of platform privileges. All decisions are private matters between the Bugcrowd team and the Researchers(s) involved.How are reported incidents reviewedBugcrowd team members review all reported circumstances, for context and severity. This may include conversations with all parties involved (Researcher, Program Owner or other Bugcrowd Team members) as well as screenshots, links or prior enforcement history.If the incident under review is determined to be in violation of the Code of Conduct or Standard Disclosure Terms, the Bugcrowd team determines the appropriate response and messages the Researchers and/or Program Owners accordingly. This can range from educational messaging to either a Researcher (or a Program Owner!) to provide best practices and can escalate to a formal and permanent removal from the Bugcrowd platform.There is an opportunity to discuss the final decision through support@bugcrowd.com, if warranted." } , { "title" : "Welcome", "category" : "researcher", "tags" : "Onboarding", "url" : "/researchers/onboarding/welcome/", "date" : "", "content" : "To help get you started, check out the following documentation: Becoming a researcher Verifying your identity Finding a program Reporting a bug Setting up payment methods Getting rewardedIf you need help with a particular topic, you can search for it by keyword.Additional Resources, not in this wiki: Code of conduct Standard disclosure terms Resources for researchers Bugcrowd forumIf you are unable to find answers to your questions, send an email to support@bugcrowd.com.Stay up to date with Crowdcontrol updates by viewing the changelog." } , { "title" : "Credentials", "category" : "researcher", "tags" : "program-management", "url" : "/researchers/participating-in-program/credentials/", "date" : "", "content" : "For some programs, you will be assigned pre-determined credentials to use when testing the program targets.If a program has credentials, you must use them unless otherwise specified in the program’s brief. If you do not use assigned credentials, it may result in your account being flagged for improper use, temporarily or permanently blocked, and can necessitate a program removal.Getting CredentialsIf a program requires the use of credentials, you can self-assign credentials by clicking Get Credentials on the Program Brief. This option is displayed only if credentials are enabled for the program.The Credentials section displays the credentials assigned to you for the program. The number and type of credentials on each program may vary.Requesting CredentialsIf there are no credentials available for the program, then you can request for credentials.Click Request Credentials.The following message is displayed indicating you will be notified when the credentials are available." } , { "title" : "Discovering Programs", "category" : "researcher", "tags" : "program-management", "url" : "/researchers/participating-in-program/discovering-programs/", "date" : "", "content" : "The Discovery page provides a new way for you view programs by grouping programs in categories that you may interest you. The programs are grouped based on their program policies, their reward ranges, program types, or scope. If you are interested to participate in any program, click the program or view all programs for that category.To discover programs, click the Discovery tab.The program cards are displayed across different categories that you can browse.Each program card provides the following information: Program Name Teaser Reward range (minimum reward to absolute maximum, including special-case rewards) Scope indicator (1 target indicates low scope, 4 targets indicates high scope)Click See more in each section to view the complete list of programs associated with that section.Scroll down to the end of the page and click Explore All Programs to go back to the Programs page. You can use filters to find the program. For more information, see finding programs." } , { "title" : "Discovering Programs > Discovering Programs", "category" : "researcher", "tags" : "", "url" : "/researchers/participating-in-program/discovering-programs/viewing-just-for-you-programs/", "date" : "", "content" : "The Just For You page displays programs based customized to your skills; whether earned through submissions on platform, connecting your linked profiles, and linked certificates.You can browse the following categories, each with platform recommendations custom to your account: Experts needed: Programs that require non-standard skills that match to you Try something new: Program with skills that are new to your profile GitHub Activity: Programs recommended based on your skills identified from your Github activity.You must connect your GitHub account to get recommendations.To view the programs in Just For You, go to the Discovery tab and then click Just For You.The Just For You page is displayed.Connecting Your GitHub AccountYou can connect your GitHub account and receive program recommendations based on your experience. To do this: Click Go to Account Settings. The Profile page is displayed. In External profiles, click Connect an external profile. The Connect external profile pop-up window is displayed. Click Connect for GitHub. The Authorize Bugcrowd page is displayed. Click Authorize bugcrowd. You will be redirected to https://bugcrowd.com. After the external profile is connected, the External profile connected message is displayed and the Profile page displays the connected external account in the External profiles section. Click Update profile to save the settings. When you go back to the Just For You page, the From Your GitHub Activity section is displayed that shows programs based on your skills from GitHub activity. " } , { "title" : "Finding Program", "category" : "researcher", "tags" : "program-management", "url" : "/researchers/participating-in-program/finding-program/", "date" : "", "content" : "Public programs are open to all Researchers but you must receive an invitation to participate in private programs. Also, private programs often have additional requirements that define the types of Researchers who may qualify for participation, including but not limited to geographical restrictions (for app/service availability), trust (like identity verification) or specific skill competency (Binary, Code Review, IoT, and so on). Each program’s brief includes it’s specific disclosure policy and rules that you must follow.We strive to standardize bounty briefs to limit the time required to get started; the bounty brief always mentions unusual requirements that you are expected to follow during your testing. Hence, make sure that you always read the complete brief before starting the test and agree that you have followed all requirements of the bounty brief before you report any submission.Check before you submit Out Of Scope!: Testing anything outside of the explicitly approved scope without at least first checking with support@bugcrowd.com carries the risk of a submission being marked Out-of-Scope and may result in additional disciplinary actions.Participating in Public ProgramYou can use the complete list of the Bugcrowd managed public programs to build your status as a Bugcrowd Researcher and become a member of our Crowd.Different types of bounty programs are available on Bugcrowd. To understand the different program types Bugcrowd offers to Program Owners, see Bugcrowd Programs at a Glance.Using Preset FiltersYou can use preset filters to refine the search criteria for viewing and joining programs. By default, all the programs are displayed.To select a preset filter, on the Programs tab, click the drop-down menu, and select any of the following filters: All: Displays all public programs. Reward: Displays programs that pays a cash reward and kudos. Points Only: Displays programs that does not pay monetary rewards. Charity: Displays programs that belong to a charity or non-profit organization. Participating: Displays programs that you are currently participating. Joinable: Displays programs that you can self-join if you meet the eligibility requirements. Waitlisted: Displays programs that you can apply if you meet the eligibility requirements. Accepted Invites: Displays programs that you have accepted (the invitation) to participate. Pending Invites: Displays programs for which you have received an invitation and yet to accept. Hidden: Displays hidden programs.Searching for Programs Using Custom FiltersYou can also refine the search using filter keys in the search box.Click within the search box to view the recommended filters. The filter key suggestions are displayed as you type in the search box. Select the required option. Also, you can provide values (case-sensitive) to further refine the search.Click Search help to view a list of currently available filter keys.For information about the filter keys, see filtering programs." } , { "title" : "Finding Program > Filtering Programs", "category" : "researcher", "tags" : "", "url" : "/researchers/participating-in-program/finding-program/filtering-programs/", "date" : "", "content" : "You can use filters to find programs that match a particular set of criteria, such as the programs that have high rewards, recently started, or are recently updated.To sort through the many programs Bugcrowd offers, you can create a query using filter keys.The default filter is sort:invited-desc sort:promoted-desc hidden:false.Filter KeysThe following table provides information about the filter keys and their possible values. Key Value Description accepted-invite true or false Filter to show programs with accepted invitations. target-category android, api, hardware, ios, iot, other, or website Filter to show programs based on the specified target category. You can use this key multiple times within a query to view program that have either categories. For example, view programs based on android and ios categories.   specify the teaser code Filter to show programs based on the specified teaser code. charity true or false Filter based on charity status. disclosure-policy true or false Filter to show all programs that have opted to allow coordinated disclosure. ends YYYY-MM-DD, &lt;=YYYY-MM-DD, or &gt;=YYYY-MM-DD Filter based on program’s end date. following true or false Filter to show programs you have subscribed for receiving program updates. hidden true or false Filter to show the hidden programs. joinable true or false Filter to show the programs that you can self-join if eligible. waitlisted true or false Filter to show the programs that you can apply. waitlist-application approved, enqueued, not-applied, pending, or rejected Filter to show waitlist programs based on the specified application status, that is applications that are approved, enqueued, not-applied, pending approval, or rejected. When Enqueued, it means you have met the qualifications for the program but waiting on a spot to open up. Bugcrowd will send you an email as soon they can provide you access by approving your application. participant true or false Filter to show programs you have submitted to previously. participation private or public Filter to show public or private programs, respectively. pending-invite true or false Filter to show programs for which you have pending invitations. points-only true or false Filter to show lack of or presence of monetary rewards. promoted YYYY-MM-DD, &lt;=YYYY-MM-DD, or &gt;=YYYY-MM-DD Filter based on promoted date. rewards-max = (equal to), &lt;= (less than or equal to), or &gt;= (greater than or equal to) Filter based on maximum reward for the programs. rewards-min = (equal to), &lt;= (less than or equal to), or &gt;= (greater than or equal to) Filter based on minimum reward for the programs. invite-sent YYYY-MM-DD, &lt;=YYYY-MM-DD, or &gt;=YYYY-MM-DD Filter based on the date when the program invite was sent. starts YYYY-MM-DD, &lt;=YYYY-MM-DD, or &gt;=YYYY-MM-DD Filter based on program’s start date. status closed or live Filter based on program’s current status. safe-harbor full or partial Filter based on program’s adoption of disclose.io “Safe Harbor” requirements. sort ends-asc, ends-desc, invited-asc, invited-desc, name-asc, name-desc, promoted-asc, or promoted-desc Indicates the order (ascending or descending) in which the programs must be displayed based on-Program end date, Invited programs, Program name, Promoted programs Filter SyntaxTo create a query, you must use the following syntax:&lt;filter key&gt;:&lt;value&gt;Make sure you include a colon after the filter key and do not include any spaces between the filter key and value.You can enter multiple filter key/value pairs in the query. For example, status:live, rewards-p1-max:&gt;2. By default, the query includes sort:promoted-desc, which sorts the programs in descending order based on the dates they were promoted.Filter LogicThere is an AND operator between unique filter keys. However, multiple instances of the same filter key use the OR operator. For example, status:live status:closed participation:private returns all private programs that are live or closed.Building a QueryWhen you click in the search box, a list of available filter keys appears. After you select a filter key, the search box displays the possible values based on your selection.Remember: You can use as many key/value combinations you need The AND operator (for unique filter keys) and the OR operator (between multiple instances of the same filter key) automatically apply and you do not have to specify the operators the search bar. As you add filter key/value pairs to the query, the results are automatically refreshed.If you specify an invalid filter key or query, programs are not returned. Review the query for any errors if the results does not display the programs as expected." } , { "title" : "Joinable Programs", "category" : "researcher", "tags" : "program-management", "url" : "/researchers/participating-in-program/joinable-programs/", "date" : "", "content" : "If a program is enabled as Joinable, you can self-join a private program if you meet the eligibility criteria for that program.To join a program: On the Programs tab, select the Joinable filter option. The joinable private programs are displayed. Click View details for the selected program. The Program details are displayed. Click Join program. Only if you meet the eligibility criteria displayed in Program requirements (on the right side), then Join Program is enabled and it allows you to join the program. Else, it is disabled. The Disclosure policy pop-up message is displayed. Click Accept terms. The Program joined message is displayed along with the Program details page. Signing NDA: If the program requires you to sign an NDA, then the Compliance requirements section is displayed. For more information, see Signing NDA for Private, Joinable, or Waitlisted Programs. After the NDA is approved, you can view the program details. If the program does not require you to sign an NDA, then the Program details page is displayed. To submit a vulnerability, click Submit report. The Report a vulnerability page is displayed. For information on how to submit a vulnerability, see reporting a bug. " } , { "title" : "Reviewing Bounty Briefs", "category" : "researcher", "tags" : "program-management", "url" : "/researchers/participating-in-program/reviewing-bounty-briefs/", "date" : "", "content" : "A program’s bounty brief tells you everything you need to know about the program, such as the targets, goals, and scope. It defines what is in scope for the bounty and outlines the company’s expectations. You must thoroughly review the bounty brief before you start working on a program.The brief also sets your expectations for reward, indicating if you can earn cash rewards for your vulnerability reports, at what range and an average of how long it may take for your submission to be reviewed and a reward determined, based on previously rewarded bounties.Viewing the Bounty BriefTo view the bounty brief for a particular program, go to the Programs list.Click on the name of a program name to view its bounty brief.The bounty brief will look like a variation of this:Each bounty brief differs depending on the needs of the company. At a minimum, it tells you the following information: The company overview. The targets you can test. Areas the company wants you to focus on: Areas that are out of scope for testing. Additional rules that you must follow. Always review the Bounty Brief before beginning testing: This helps prevent Out of Scope submissions. Reporting a vulnerability against a target not explicitly in scope may result in your report being marked as Out Of Scope, with a penalty of -1 point applied to your profile. If you have any questions about the scope of the program, please contact our support team at support@bugcrowd.com.Now we will walk through different parts of the bounty brief you might see on a program.Program Brief headerIdentifying a Managed by Bugcrowd programThis designation lets you know who the program is managed by Bugcrowd, meaning our team handles triage and support. The majority of programs on the platform are managed by Bugcrowd.Following a ProgramFollowing a particular program will provide you with email notifications of any important changes made on that program. These emails will include details on the exact changes made (ie Reward increases, or new targets or exclusions) and will also provide a link to the ‘Program Updates’ page. There you can find more details on any particular changes made on that specific program.You will automatically follow a program once you submit your first report to that specific program or upon accepting an invitation to a private program.For more in-depth information on following a program, see managing program subscriptions.Reward RangesReward ranges determined by vulnerability technical severity will be outlined in this section. There may also be specific conditions for rewards or vulnerabilities.In Scope TargetsIn scope targets are the areas (applications, APIs, hardware, etc) that the Program Owner will accept vulnerability reports towards.Again, be sure to only submit against in-scope targets to avoid invalid or other submission results. If you have a question, message support@bugcrowd.com.Out of scopeEach bounty has a list of targets that are out of scope. These targets must not be tested.Program RulesProgram rules provide the disclosure terms and outline any specific rules that need to be followed for this program. If you have questions about the program rules, please contact our support team at support@bugcrowd.com.It may be tempting to share your findings with others, but remember, each program has a disclosure policy that you must respect. Many programs do not want you to share the vulnerabilities that you’ve discovered with the public. Additionally, talking about a private program with another researcher who may not have been invited to the program is against the policies of Bugcrowd, as it discloses the existence of the program. Be smart, don’t do it.For more information on disclosure policies for Bugcrowd programs, see our Public Disclosure Policy page.Program UpdatesThis section will provide you with all the recent and past important updates which have been made to the program.Viewing the Program’s StatisticsEach program provides you insights into the rewards that have been distributed and the validation time for submissions.Viewing Known IssuesThis section provides information on previously reported vulnerabilities for the program so that you choose how to concentrate your testing, on other areas that have not been previously reported or by choosing to focus in a specific area more deeply.For additional information, see viewing known issues..You must be signed into the platform in order to be able to view Known Issues available on Public Programs.Hall of FameFinally, Public programs include this section which shows Researchers that are in the Hall of Fame for this program. Read about entering a Program’s Hall of Fame in detail." } , { "title" : "Reviewing Bounty Briefs > Managing Program Subscriptions", "category" : "researcher", "tags" : "", "url" : "/researchers/participating-in-program/reviewing-bounty-briefs/subscribe-to-program-updates/", "date" : "", "content" : "Subscribing to a particular program will provide you with email notifications of any important changes made on that program’s bounty brief. These emails will include details on the exact changes made and will also provide a link to the Announcements page. There you can find more details on any particular changes made on that specific program.Subscribe to a ProgramThere are three ways you can subscribe to a program: The public programs page The program page By submitting a report to a programFirst, you may manually subscribe by selecting the Subscription Star. You may find this star on the public programs page on the Bugcrowd website. A filled star indicates you have been subscribed and agree to receive any important updates made to that program.A subscription star also appears on the program page as well.You may also be automatically subscribed once you submit your first bug to that specific public program. Also, you will be automatically subscribed upon accepting an invitation to a private program.Unsubscribe from a ProgramYou may unsubscribe to a program (that is active or has ended) at any time by deselecting the Subscription Star. An unfilled star indicates that you have been unsubscribed to the program and will no longer receive any important updates made to this program." } , { "title" : "Reviewing Bounty Briefs > Viewing Known Issues", "category" : "researcher", "tags" : "", "url" : "/researchers/participating-in-program/reviewing-bounty-briefs/viewing-known-issues/", "date" : "", "content" : "Optional Sharing: This feature is an optional tool used by programs that have decided to share additional information with researchers on the program brief. Therefore, researchers will only be able to see Known Issues if the feature has been enabled. Not all programs will share this information with researchers.To provide you with better visibility into the types of issues that have already been reported by other researchers, you can review the known issues for each target. You should review the known issues to get a better understanding of the areas of target that have already been well-tested and areas that may provide better opportunities for you to contribute your work and get rewarded. This level of insight is extremely useful because it can help you reduce the likelihood of submitting a duplicate report.Known issues are grouped by target and categorized by VRT classification. Any issue with a status of triaged, unresolved, won't fix or duplicate is counted as a known issue. You can drill down into the issues based on their VRT classification.Program Brief ViewYou can find known issues insights on the Program Brief under the Targets section or the Known Issues section located on the right hand side.The Known Issues section will display the number of unique valid findings (triaged, unresolved, or won't fix submissions) or the total number of findings on the given program (unique findings + duplicates).Each scoped target will have a target breakdown of unique known issues as seen below.If a program is in the Hidden tab, then the Ignore Invite button is unavailable. You can click Accept Invite only.For further insights on known issues for a specific target, select the details icon as seen below.When you click the Details icon, a pop-up window will appear that provides a breakdown of known issues on a specific target by specific VRT (Vulnerability Rating Taxonomy) categories.Unique vs Total: If a program is in the Hidden tab, then the Ignore Invite button is unavailable. You can click Accept Invite only." } , { "title" : "Viewing and Accepting Program Invitations", "category" : "researcher", "tags" : "program-management", "url" : "/researchers/participating-in-program/viewing-invitations/", "date" : "", "content" : "Private Program InvitationsSome programs are invitation only. This means that the company wants or needs to restrict access to their program for a subset of researchers. Generally, invitation-only bounty programs work the same as public programs. The major difference is that they are private and you have to be invited to participate in the program. Usually, private programs grow over a period of time, add new scope, increase rewards, and remove restrictions to enable a larger number of researchers to participate.If you are selected to participate in a private program at launch, Bugcrowd will send an invitation roughly 48 hours prior to the start of the program (due to a few circumstances this may not be possible always).When a program is able to increase the number of participants and you are selected to participate, you will be able to begin testing immediately on the ongoing program.Getting InvitedBugcrowd selectively invites researchers to private programs based on the skill set required (determined based on the program) and the activity (based on your historical statistics).Also, customers can now send you a direct email invitation to participate in a private ongoing program. You will receive the email only if your email address is available in the Crowdcontrol platform.Current Qualifications: Four submissions submitted to the Bugcrowd platform all-time One accepted P1-P3 submission to the Bugcrowd platform all-time (non-duplicate unresolved or resolved) Greater than 50% accuracy in the last 90-days One valid P1–P3 in the last 90 daysRequired Qualifications are subject to change.Viewing InvitationsYou can view an invitation from the email that you have received from Bugcrowd or by logging in to Bugcrowd.Viewing Invitation From EmailIn the email, you have received from Bugcrowd, click View Invitation.The Programs tab displays the invitation as shown.Viewing Invitation in BugcrowdLog in to Bugcrowd, click your profile icon, and then click Invites.The Programs tab displays the Pending Invitations. These are the programs you have been invited to and you have not accepted the invitation.Accepting an InvitationIn the Programs tab, click View Invitation.The Disclosure policy pop-up message is displayed.Click Accept terms.The following screen is displayed.Information such as Reward Range, Targets, Program Rules, and the assigned credentials are displayed. Read all this information before accepting the invite.When you click Accept Invite, the Program is available in the Accepted Invites tab." } , { "title" : "Viewing and Accepting Program Invitations > Ignoring Invitation or Hiding Program", "category" : "researcher", "tags" : "", "url" : "/researchers/participating-in-program/viewing-invitations/ignoring-or-hiding-invitation/", "date" : "", "content" : "Ignoring an InvitationWhen you ignore an invite, your invitation is not revoked but moved into the Hidden tab in the Programs list so you can accept it at a later date.If a program is in the Hidden tab, then the Ignore Invite button is unavailable. You can click Accept Invite only.To ignore an invite: Click Ignore invite. The Ignore Invitation screen is displayed. From the Select a reason drop-down menu, select a reason for ignoring the invite. The available reasons are as shown. After selecting the reason, click Ignore Invitation. The program is displayed in the Hidden tab. Hiding a ProgramTo hide a program: Click the Hide icon as shown. From the Select a reason drop-down menu, select a reason for hiding the program. The following reasons are available. Click Save. The program is hidden. If you want to view it at a later time, use the hidden filter option. " } , { "title" : "Viewing and Accepting Program Invitations > Signing NDA for Private, Joinable, or Waitlisted Programs", "category" : "researcher", "tags" : "", "url" : "/researchers/participating-in-program/viewing-invitations/signing-nda-for-program/", "date" : "", "content" : "As a means to further secure customers findings they may require signature of legal documents in order to participate in their program. After receiving an invitation/joining one will still need to sign the document prior to seeing the brief and being able to submit. We identify programs with this requirement on their teaser like shown below.After you have accepted the invite, joined a program, or your application is approved, if the program requires you to sign an NDA, then the Compliance required section is displayed.To sign the NDA for a program: In the Compliance required message, click Sign. Click I agree to use electronic records and signatures and then click CONTINUE. Read through the document or click START. When you reach the end of the document, click Sign. The Adopt Your Signature window is displayed. Provide your Full Name and Initials, and select a style for your signature. Click ADOPT AND SIGN. The signature is applied to the document. When you hover on the signature, the Required Signature Applied message is displayed. Click FINISH. The Signed document message is displayed. After Bugcrowd approves, you will receive an e-mail notification. You can now view the program details and submit a report. In case your signature is not valid, then you will receive the Re-sign notification. Resign the document. After Bugcrowd approves, you can continue to participate in the program. " } , { "title" : "Viewing and Accepting Program Invitations > Two-Factor Authentication Compliance", "category" : "researcher", "tags" : "", "url" : "/researchers/participating-in-program/viewing-invitations/two-factor-authentication-compliance/", "date" : "", "content" : "As a means to further secure customers findings they may require Two-Factor Authentication (2FA) to be enabled on your account in order to participate in their program. After receiving an invitation/joining one will need to enable 2FA to seeing the brief and being able to submit. We identify programs with this requirement on their brief like below.Click Enable 2FA. The Two-Factor Authentication page is displayed.To proceed, see using two-factor authentication.After enabling 2FA, you can view the program details and submit a report." } , { "title" : "Waitlisted Programs", "category" : "researcher", "tags" : "program-management", "url" : "/researchers/participating-in-program/waitlisted-programs/", "date" : "", "content" : "If a program is displayed as Waitlisted, you must meet the eligibility criteria for that program and then you can apply to the program. Applications are reviewed on a regular basis and are prioritized by program type and program need. There can be some delay between the day an application is submitted and when the application is reviewed. Some of the programs may not have any eligibility criteria. Read the program brief and if you are interested, you can apply for the program.Eligibility Updates Daily: If you have met the criteria, you may need to wait a day to view it.Viewing Prelaunched Waitlisted ProgramsWhen viewing programs, you can also view the waitlisted programs that will be launched on a future date. You can apply for the program when the program actually launches and if you meet the eligibility criteria.The following image displays a future date when the programs will launch.Applying for Waitlisted ProgramsTo apply to a waitlisted program: On the Programs tab, select the Waitlisted filter option. The waitlisted programs are displayed. If you have met the eligibility criteria to apply for the program, it displays Eligible to apply as shown. Click View details for the required program. The Program details page is displayed. The Program requirements section displays the eligibility criteria that you must meet to apply to the program. If you have partially met the criteria , it will display the other criteria you need to meet. After you complete this, you can apply to the program. Only if you meet the eligibility criteria displayed (if there is any) in Program requirements (on the right side), then Apply to Program is enabled and it allows you to apply for the program. Otherwise applying is disabled until the criteria is met. Click Apply to program. The Application page is displayed. You can apply for a program once only. After submitting, you cannot modify or withdraw your application. Provide the supporting evidence in the text box and click Submit. You can style your text using the Markdown syntax. For more information, see using markdown for formatting content. The Application Successful message is displayed. Also, the program displays the Application submitted on date message as shown. After Bugcrowd completes assessing your application, you will be notified whether your application is approved, enqueued, or rejected through e-mail. When enqueued, it means you have met the qualifications for the program but waiting on a spot to open up. Bugcrowd will send you an email as soon they can provide you access by approving your application. Signing NDA: After your application is approved and if the program requires you to sign an NDA, then the Compliance requirements section is displayed. For more information, see Signing NDA for Private, Joinable, or Waitlisted Programs. After the NDA is approved, you can view the program details. If the program does not require you to sign an NDA, then the Program details page is displayed. When a program is approved, the program displays Submit report. Click Submit report as shown. Read the program brief and then you can hide, subscribe, view announcements, or submit a vulnerability report. If the program is rejected, the Application rejected message is displayed. " } , { "title" : "Waitlisted Programs > Waitlisted Application Guide", "category" : "researcher", "tags" : "", "url" : "/researchers/participating-in-program/waitlisted-programs/waitlisted-application-guide/", "date" : "", "content" : "Question 1 # Security Background SummaryTell us what work you have been doing within the InfoSec communityExamples: Currently a second year student studying computer science. Been working as a whitehat hacker for last 2 years. Developed an open source application leveraging X language and Y API, viewable at github.com/name/repositoryQuestion 2 # Education &amp; CertificationsTell us about any courses or learnings you had relating to the programs needsExamples: OSCP Certification Masters in Cryptography from University of ZQuestion 3 # Security Research, Published Disclosures, &amp; CVEsTell us about any published findings or research you’ve done within the InfoSec CommunityExamples: Discovered and reported a flaw related to Y with this CVE Blog Post around X type of vulnerabilityQuestion 4 # CTF links you have participated in and detailsTell us about any CTFs or challenges you’ve finishedExamples: Share a link to an existing CTF on CTFtime.org Team won (1st, 3rd, 10th) place at CTF against X number of teamsQuestion 5 # Previous Relevant Employment in the industry specified for the programTell us about work you’ve contributed to the InfoSec industryExamples: 1 Year working on a red team for X Company, in X capacity which gave me experience with (Insert testing/Vulns) you think will be prevalent against the target types. 2+ Years experience with BugBounty hunting" } , { "title" : "Your @bugcrowdninja Email", "category" : "researcher", "tags" : "program-management", "url" : "/researchers/participating-in-program/your-bugcrowdninja-email-address/", "date" : "", "content" : "As an active Bugcrowd researcher, you have access to a [username]@bugcrowdninja.com email alias that forwards to your account’s primary email address. This email can be used to sign up for testing accounts, and in some cases is required for testing.The email alias is automatically generated when you first sign into the platform and is re-synced whenever you sign in. Because we use a third-party service to facilitate these aliases, you may need to wait up to 10 minutes after sign-in at bugcrowd.com to obtain access." } , { "title" : "Your @bugcrowdninja Email > Email Filter", "category" : "researcher", "tags" : "", "url" : "/researchers/participating-in-program/your-bugcrowdninja-email-address/email-filter/", "date" : "", "content" : "Occasionally, some bug bounty programs sends out a substantial number of irrelevant emails to users. These are often the result of other researchers testing. For example, if a researcher has an admin account, who receives notifications for certain interactions, then he or she will get emails anytime another tester performs an action. These tend to create noise for researchers and can drown out other, more important messages in their inbox. Hence, you must create an email filter that will redirect these emails to a designated Bugcrowd folder bypassing the inbox and enabling you to better process these messages.IMPORTANT: Do Not Forget!: Remember to regularly check your newly created folder - especially when you are invited to a new program. Programs often deliver credentials in the form of an activation email, and so on. When credentials are sent by email they will appear in this folder, so be sure to check it at the start of any program.Follow the steps below to setup an email filter in gmail: Select the gear icon on the right-hand side of the screen and select settings. Once on the settings page, navigate to the Filters and Blocked Addresses tab and select Create a new filter. In the From field, enter forward-bot@bugcrowdninja.com and then select Create filter with this search. Select Skip the Inbox (Archive it) and Apply the label:. Select the Choose label drop-down box. Create a new label to redirect and archive the @bugcrowdninja emails by selecting New label - enter a name of your choice and select Create. Select Also apply filter to X matching conversation to archive all existing emails into the newly created label/folder. Click Create filter. All incoming and existing forward-bot@bugcrowdninja.com emails will now be stored in the newly created label/folder found on the left-hand side of Gmail. " } , { "title" : "Frequently Asked Questions-Payment Methods", "category" : "researcher", "tags" : "receiving-rewards", "url" : "/researchers/payments/frequently-asked-questions-payment-methods/", "date" : "", "content" : "General QuestionsQ: Which reward payment methods does Bugcrowd offer? A: Paypal and Payoneer. Bugcrowd is also offering a new payment method called Bank Transfer.Q: I have Paypal and Payoneer payment methods configured for my account. How do I know in which account I will receive the reward A: Your selected payment methods will be used for your rewards.Q: I do not see the payment in my Bugcrowd account. Can you track down the reward? A: If your submission is rewarded, send an email to support@bugcrowd.com. Otherwise, wait until the submission is moved into the Unresolved state and has received a cash reward.Q: I missed this week’s payments. Can it be triggered now? A: Unfortunately, payments are done once a week on Wednesday. This includes all payments until 11:59:59 PM on Tuesday (the day before). If your reward was not included in this week’s payment, it will be included in the following week.Q: Are there any taxes that I need to worry about when I receive rewards? A: Bugcrowd covers any fees from our account to the payment provider, but any additional fees are not covered.Q: Is it possible to trigger a refund? A: No, it is not possible.PayPal Specific IssuesQ: What happens if an error occurs while processing payments? A: If an error occurs while Bugcrowd is processing payments, we will contact you with any error code received during the pay run. You have to work with PayPal directly to resolve the issue with your account because Bugcrowd does not have the authorization to contact them on your behalf. You must have your account information and provide a brief description of the issues.PayPal payments can take up to 24 hours or more to process.Payoneer Specific IssuesQ: How can I change Payoneer Accounts? A: Unfortunately, due to the nature of the Payoneer system, there are limited ways to reconfigure your Payoneer account, and you can only change between payment options within the Payoneer’s system. To do this, click the Need to reconfigure your account link in the Payoneer section on the Payment Methods page.Payoneer payments can take 24 hours or more to process in your account.nIf you have any problems with your Payoneer account, contact Payoneer support directly. You must provide your account information and a brief description of the issue.Bank Transfer Specific QuestionsQ: Does this change when pay runs happen? A: Not yet, payouts will continue to happen every Wednesday.Q: What happens if I do not have a bank account to transfer to? A: For assistance, send an email to support@bugcrowd.com.Q: What happens if I do nothing? A: Your account will be in an unpayable state, and will not be paid until there is an account set in the new system.Q: How do I find my Foreign Tax ID Number? A: You can find the list of international Foreign Tax Identifications Numbers here.Q: What if I want to continue to use Payoneer? A: You can continue to use Payoneer. Payoneer issues a virtual bank account to you that must be configure for your funds to be transferred. To set up a Payoneer account, perform the following steps: Identify the country where you have your Payoneer bank account. When setting up your payment method, set the country to the same country as your Payoneer bank account location. Your tax form must represent your appropriate tax status and must not be changed to match as explained in the preceding step. Provide your Payoneer Bank details and save it. Go back to adjust your payment method details to represent your correct residential address and country information.This does not change your bank details as they are already persisted. Payments directly from Bugcrowd to your actual Bank Account provides faster transfer timeline, and lower conversion rates than Payoneer. Hence, it is recommended to link your Bank Account." } , { "title" : "Setting Up Payment Methods", "category" : "researcher", "tags" : "receiving-rewards", "url" : "/researchers/payments/setting-up-payment-methods/", "date" : "", "content" : "Bugcrowd supports the following payment methods: Bank Transfer: Amount is credited to your bank account in one or two business days PayPal: Amount is credited to your PayPal account on the same dayYou must set up at least one payment method for you to receive any payouts.After setting up your payment method, you must submit your tax form: Submitting Tax Form for U.S. Person Submitting Tax Form for Non-US Person (Individual) Submitting Tax Form for Non-US Person (Corporation) Uploading Tax FormPayments cannot be split across multiple accounts." } , { "title" : "Setting Up Payment Methods > Deleting Payment Method", "category" : "researcher", "tags" : "", "url" : "/researchers/payments/setting-up-payment-methods/deleting-a-payment-method/", "date" : "", "content" : "Deleting PayPal AccountTo remove a PayPal account from your list of payment methods, go to the Payment details page and then go to the PayPal section, and click Delete.A message is displayed asking for confirmation. Click OK.The PayPal account is removed and the following confirmation message is displayed. Also, the status in the PayPal section changes to Not connected.Deleting Payoneer AccountTo remove a Payoneer account from your list of payment methods, go to the Payment details page and then go to the Payoneer section, and click Delete.A message is displayed asking for confirmation. Click OK.The Payoneer account is removed and the following confirmation message is displayed. Also, the status in the Payoneer section changes to Not connected." } , { "title" : "Setting Up Payment Methods > Managing Bank Transfer and PayPal Payment Accounts", "category" : "researcher", "tags" : "", "url" : "/researchers/payments/setting-up-payment-methods/managing-payment-method/", "date" : "", "content" : "After adding a payment method, you can set it as a primary account, edit or delete the payment method.Setting Primary Payment AccountIn case you have setup more than one account for payment, then you can set one of the account as the primary account.To setup a primary payment account: In the Payout Methods section, click the Edit icon for the account that must be set as primary account. The account details are displayed. Click Make active. The selected payment account is set as primary and Active is displayed next to the payment account. Also, the primary payment account is displayed as the first preference for receiving the payout. Editing Payment AccountTo edit an existing payment account: Go to the Payments tab. In the Payout Methods section, click Edit icon for the payment account that you want to edit. The existing information for the payment account is displayed. Update your account details. The fields are displayed based on your country. For example, the following screenshot shows the fields displayed for US. Click Edit to modify the general information. Click Save. The payment method details are updated. Deleting Payment AccountTo remove an account from your list of payment accounts: Go to the Payments tab. In the Payout Methods section, click Delete icon for the payment account that you want to delete. A message is displayed asking for confirmation. If you want to continue, then click Delete. Else, click Cancel to return to the Payout Methods section. The payment account is removed and is not displayed in the Payout Methods section. " } , { "title" : "Setting Up Payment Methods > Setting Up Bank Transfer Payment Method", "category" : "researcher", "tags" : "", "url" : "/researchers/payments/setting-up-payment-methods/setting-up-bank-transfer-payment-method/", "date" : "", "content" : "Bugcrowd provides the new Bank Transfer payment method. The amount is credited to your bank account with lower currency conversion fees when compared to the existing payment methods. Also, you must submit the tax form to receive your payout.Payments can be split through collaboration. For information about collaboration, see researcher collaboration.Adding Bank Transfer Payment Method Go to the Payment details tab. If you are setting up payment details for the first time, the following page is displayed. Click Get started. Now you can begin configuring your payment setting. Click Add Payout Method. The General Information section is displayed. Select the required account type—Individual or Business. If you have selected Individual, then provide your details and click Next. If you have selected Business, then provide the details and click Next. Bank Account Holder name must match Recipient Name: Third-party payments are not allowed that is, you can only send funds to a bank account that is held by the same name of the recipient profile when setting up the payment method. The Select Payout Method section is displayed and Bank Transfer is selected by default. The fields are displayed based on the selected country. For example, if you have selected United States of America, then the fields as shown in the following image are displayed. In case your location is other than United States, then the Bank Account Country drop-down displays your country and United States of America as the options. You can select one of them as the location of the bank account as required. If you want to know your bank details from the cheque, then click the Need help? Find your bank details on a cheque link. The cheque details are displayed. You can note the details to specify in the preceding fields. Click the link or X to close the cheque details. After providing the required details, click Add. The Payout Method Submitted Successfully and Your payment preferences are setup messages are displayed. If your country is USA, then you must fill the tax form. You can either click Submit a Tax Form or submit the tax form at a later time. Tax Forms are required to be on-file for payouts to be issued. If you want to submit your tax declaration at a later time, click Done. The Payout Methods page displays the added payment method. To add another payment account, click Add Payment Method and follow the preceding steps. If you setup more than one payment account and you want to set one of them as the primary account, see setting primary payment account. Submitting Tax FormIf you are a U.S. or non-U.S. person, you must submit the tax form to receive payouts. You can submit the tax form before or after adding a payout method. Submitting tax form for U.S. person Submitting tax form for non-US person (individual) Submitting tax form for non-US person (corporate)After submitting the tax form, you cannot edit the information. Instead, submit another form. This will overwrite the form you submitted earlier." } , { "title" : "Setting Up Payment Methods > Setting Up New PayPal Payment Method", "category" : "researcher", "tags" : "", "url" : "/researchers/payments/setting-up-payment-methods/setting-up-paypal-payment-method/", "date" : "", "content" : "In Beta: The new PayPal payment method is in beta phase and available only for a subset of researchers. If you are able to view the Bank Transfer payment method option, then the PayPal payment method will also be available. However, you must enable PayPal method.You can continue to use the existing payments methods provided in setting up payment methods.Enabling PayPal Payment MethodTo enable the PayPal payment method: In the Looking for PayPal? section, click the down arrow. Click Enable PayPal payment method. A pop-up message is displayed. Click OK. The PayPal payment method is enabled. Adding PayPal Payment Method In Payout Methods, click Add Payout Method. The General Information section is displayed. Select the required account type—Individual or Business. If you have selected Individual, then provide your details and click Next. If you have selected Business, then provide the details and click Next. In Select Payout Method, click PayPal. Provide the following information: Email address of your existing PayPal Account: Specify the email address that is linked to your PayPal account. Confirm the email address of your existing PayPal Account: Type the same email address. Click Add and Activate to set it as the primary account. If you want to set it as the primary account at a later time, then click Add. The Your payment preferences are set up message is displayed. If you have not submitted your tax form, see submitting tax form. If you do not submit the tax form, then you will not receive the payout. The **Payout Methods** page displays the added payment method. If you have clicked **Add and Activate**, then **Active** is displayed next to the payment method. ![paypal-added](/assets/images/researcher/new-paypal/paypal-added.png) If you have clicked **Add** and you want to set it as the primary payment method, see [setting primary payment method](/researchers/payments/setting-up-payment-methods/managing-payment-method#setting-primary-payment-method). " } , { "title" : "Setting Up Payment Methods > Submitting Tax Form for Non-US Person (Corporation)", "category" : "researcher", "tags" : "", "url" : "/researchers/payments/setting-up-payment-methods/submitting-tax-form-for-non-us-person-corporation/", "date" : "", "content" : "If you are not a U.S. person and a corporate, then you must submit the W-8BEN-E substitute tax form to receive payouts. To submit the W-8BEN-E tax form: In the Payout Methods section, click Complete a new Tax Form. After you add a payment method successfully, you can also submit the tax form. Click Submit a Tax Form. The Tax Form Selection page is displayed. Read the displayed information and then select I am not a U.S. Person. Additional options are displayed. Select I am a Corporation and click Continue. The W-8BEN-E Substitute Form is displayed. Select the displayed options, provide your name, and click Certify. The following fields are displayed. For the list of international Foreign Tax Identifications Numbers, click here. &lt;/div&gt; Provide your personal information. For details about the fields, see IRS instructions for W-8BEN-E form. Click Continue. If you have selected a treaty country, then the Claim of Treaty Benefits page is displayed. Read the information provided and select the required options. The information is displayed based on the selected country. Click Continue. The Review page is displayed. Review the information and click Continue. The Certifications page is displayed. Read the displayed information and select the required options. Click Complete W-8BEN-E. A warning pop-up message is displayed indicating that you will not be able to edit the form after it is submitted. Click Submit Form. The Tax Statement Delivery Method section is displayed. Click E-DELIVERY or MAIL as per your requirement and click Continue. If you have clicked MAIL, the following message is displayed. After reading the information, if you want to continue with the MAIL option, then click Yes, Select Mail. The Tax Form Submitted Successfully message is displayed. Click Done. The submitted tax form is displayed in the Tax Forms section. " } , { "title" : "Setting Up Payment Methods > Submitting Tax Form for Non-US Person (Individual)", "category" : "researcher", "tags" : "", "url" : "/researchers/payments/setting-up-payment-methods/submitting-tax-form-for-non-us-person-individual/", "date" : "", "content" : "If you are not a U.S. person and an individual, then you must submit the W-8BEN substitute tax form to receive payouts.To submit the W-8BEN tax form: In the Payout Methods section, click Complete a new Tax Form. After you add a payment method successfully, you can also submit the tax form. Click Submit a Tax Form. The Tax Form Selection page is displayed. Read the displayed information and then select I am not a U.S. Person. Additional options are displayed. Select I am an individual and click Continue. The W-8BEN Substitute Form is displayed. Select the displayed options, provide your name, and click Certify. The following fields are displayed for individuals. For the list of international Foreign Tax Identifications Numbers, click here. &lt;/div&gt; Provide your personal information. For details about the fields, see IRS instructions for W-8BEN form. Click Continue. If you have selected a treaty country, then the Claim of Treaty Benefits page is displayed. Read the information provided and select the required options. Click Continue. Based on the selected country, this information varies. The Review section is displayed. Review the information and click Continue. The Certification section is displayed. Select the displayed options, specify your name as per the name on your income tax return, and click Complete W-8BEN. A warning pop-up message is displayed indicating that you will not be able to edit the form after it is submitted. Click Submit Form. The following confirmation message is displayed. Click Done to close the message. The submitted tax form is displayed in the Tax Forms section. In Statement Delivery, click the question mark icon for specifying the tax statement delivery method. By default, it is E-Delivery. A pop-up message indicating the current delivery method is displayed. Click the link to change the tax statement delivery method. The Tax Statement Delivery Method section is displayed. Click E-DELIVERY or MAIL as per your requirement and click Save. If you have clicked MAIL, the following message is displayed. After reading the information, if you want to continue with the MAIL option, click Yes, Select Mail. The delivery method is updated and displayed as shown. " } , { "title" : "Setting Up Payment Methods > Submitting Tax Form for U.S. Person", "category" : "researcher", "tags" : "", "url" : "/researchers/payments/setting-up-payment-methods/submitting-tax-form-us-person/", "date" : "", "content" : "If you are a U.S. person or subject to taxation as a U.S. person, or if you are a corporate and the entity is incorporated in the U.S., then you must submit the W-9 tax form to receive payouts.A U.S. person is: An individual who is a US citizen or US resident alien. A partnership, limited liability company, corporation, company, or association created or organized in the United States or under the laws of the United States. An estate (other than a foreign estate), or A domestic trust (as defined in US tax regulations).To submit the W-9 tax form: In the Payout Methods section, click Complete a new Tax Form. After you add a payment method successfully, you can also submit the tax form. Click Submit a Tax Form. The Tax Form Selection page is displayed. Read the displayed information. Select I am a U.S. Person and click Continue. If you have a completed form file in your local system, then click the here link and upload the form. For information about uploading the form, see uploading tax form. The W-9 Substitute Form section is displayed. Specify your personal information in the following fields: First/Given Name Last/Family Name Business Name (If different from Name) Address City Country State/Province Zip/Postal Code Federal Tax Classification: Select your tax classification. Social Security Number: Specify your Social Security Number in the XXX-XX-XXXX format. This field is displayed based on the selected tax classification. Employer Identification Number (EIN): Specify your Employer Identification Number in the XX-XXXXXXX format. This field is displayed based on the selected tax classification. Tax Identifier Type: If the tax classification is selected as Trust, then this field is displayed. Select the Social Security Number or Employer Identification Number option and specify the SSN number or EIN number, respectively. To update information in the preceding section, see IRS instructions for W-9 form. Click Exemptions (optional). The Exemptions section is displayed, which is optional. Specify the following: Exempt payee code: Select a code from 1-13. Click Payee Codes to view the description for each code. Exempt from FATCA reporting code: Select a code from A-M. Click Reporting Codes to view the description for each code. Click Continue. The second part of the form is displayed. Select all the displayed options, specify your name as per the name on your income tax return, and click Complete W-9. A warning pop-up message is displayed indicating that you will not be able to edit the form after it is submitted. Click Submit Form. The following confirmation message is displayed. Click Done to close the message. The submitted tax form is displayed in the Tax Forms section. In Statement Delivery, click the question mark icon for specifying the tax statement delivery method. By default, it is E-Delivery. A pop-up message indicating the current delivery method is displayed. Click the link to change the tax statement delivery method. The Tax Statement Delivery Method section is displayed. Click E-DELIVERY or MAIL as per your requirement and click Save. If you have clicked MAIL, the following message is displayed. After reading the information, if you want to continue with the MAIL option, click Yes, Select Mail**. The delivery method is updated and displayed as shown. " } , { "title" : "Setting Up Payment Methods > Uploading Tax Form", "category" : "researcher", "tags" : "", "url" : "/researchers/payments/setting-up-payment-methods/uploading-tax-form/", "date" : "", "content" : "Once must have a tax form on file to receive payments on Bugcrowd.If you do not have the completed form, download the W-8IMY form and complete it manually. For the instructions to fill the form, see IRS Instructions for Form W-8IMY.After submitting the form, you cannot edit the information. Instead, submit another form. This will void your earlier form.To upload your completed tax form: On the Tax Form - W-9 page, click the here link and then click Continue. The Upload a Tax Form page is displayed. Specify the following information: Form Type: Select the form type you will be uploading: W-9 W-8IMY W-8ECI W-8EXP W-4 8233 Revision: Select the required revision: 2017-06 2016-09 2014-04 2006-02 2003-12 2000-12 1998-10 You cannot upload completed W-8BEN or W-8BEN-E form and you must digitally fill the forms and submit them. To do this, click the W-8BEN or W-8BEN-E links as shown. The payments page will be displayed, where you can fill and upload the form. For further information, see submitting tax form for non-US person (individual) and submitting tax form for non-US person (corporation). Click Select a file and select the completed form. Click Upload Form. The Tax Form Information section is displayed. Specify your details in the displayed fields and click Save &amp; Submit. This information must match the information in the uploaded form and is required for end-of-year tax reporting.. ![fill-details](/assets/images/researcher/upload-tax-form/fill-details.png)The **Tax Statement Delivery Method** section is displayed. Click E-DELIVERY or MAIL as per your requirement and click Continue. If you have clicked MAIL, the following message is displayed. After reading the information, if you want to continue with the MAIL option, click Yes, Select Mail. The Tax Form Submitted Successfully message is displayed. Click Done to close the message. The submitted tax form is displayed in the Tax Forms section. " } , { "title" : "Viewing Your Payments", "category" : "researcher", "tags" : "receiving-rewards", "url" : "/researchers/payments/viewing-payments/", "date" : "", "content" : "The Payments page lists your upcoming, paused, and remitted payments. You can expect to see payments for your submission appear on the Payments page as soon as they are done. Payments are sent on Wednesdays each week for rewards submitted by Tuesday midnight PST.To view a list of your upcoming and remitted payments, go to the Payments page.If you have paused payments, a notification banner appears that reflects the paused status.You can download a CSV of all your remitted payments, for record keeping." } , { "title" : "Viewing Your Payments > Pausing Payments", "category" : "researcher", "tags" : "", "url" : "/researchers/payments/viewing-payments/pausing-payments/", "date" : "", "content" : "You can temporarily pause payouts of all future and pending payments by selecting the Pause payments option in the Manage payments section.Click Save.The following message is displayed and the pay out of all pending and future payments are paused.A banner on your Payments tab shows the paused status.Unpausing PaymentsTo unpause your payments, deselect the Pause payments option in the Manage Payments section and click Save.You can pause or unpause payments at any time but if you unpause payments after midnight on Tuesday, your rewards will be transferred to you on Wednesday of the following week.The following message is displayed. The pay out for current and future payments resume." } , { "title" : "Getting Rewarded", "category" : "researcher", "tags" : "receiving-rewards", "url" : "/researchers/receiving-rewards/getting-rewarded/", "date" : "", "content" : "Earning Cash RewardsIf a program offers cash rewards, it means that they are willing to pay you for a valid bug. A valid bug is a security vulnerability that is in scope as per the bounty brief and can be reproduced by the triaging Application Security Engineer (ASE) or Program Owner.To qualify for a cash reward, you must be the first Researcher to report the vulnerability. It cannot be a duplicate of a report someone else has already reported or a known issue which has been imported by the Progam Owner.You will know your submission has been accepted as valid when its status changes from Triaged to Unresolved. When this happens, the Program Owner will reward your submission. You will receive an e-mail notification that your submission has been accepted and you have been rewarded for your efforts.The Program Owner sets the reward amount with Bugcrowd’s input. It is typically based on the current market rate for the priority assigned to the submission and the impact of the submission for the business. This rate varies, but generally, vulnerabilities with a higher priority rating are rewarded more.Rewards vary by program.If you have questions about rewards, send an email to support@bugcrowd.com.Earning Kudos Points for Valid BugsYou are rewarded points for each valid accepted report. You must be the first person to report the bug to earn all possible points.Each bug is rated on a priority scale of P1 - P5 according to Bugcrowd’s VRT, with points rewarded accordingly: Priority Level Points Earned P1 Critical 40 points P2 High 20 points P3 Moderate 10 points P4 Low 5 points P5 Non-exploitable weaknesses 0 points Earning Points for Duplicate BugsPoints are also rewarded for duplicate submissions based on its severity. Points are rewarded for a duplicate submission when the original bug is accepted by the Program Owner. Priority Level Points Earned P1 Critical 10 points P2 High 5 points P3 Moderate 0 points P4 Low 0 points P5 Non-exploitable weaknesses 0 points If you have questions about points, send an email to support@bugcrowd.com.For more detailed information about the prioritization of a vulnerability, see Bugcrowd VRT." } , { "title" : "Getting Rewarded > Incorrect Reward Adjustment", "category" : "researcher", "tags" : "", "url" : "/researchers/receiving-rewards/getting-rewarded/adjusting-mistaken-rewards/", "date" : "", "content" : "Although rare, sometimes Program Owners have made mistakes when rewarding for vulnerabilities. Therefore, adjustments may be needed. When a reward is cancelled, an email notification is sent that provides the reason for the change. This is also available on the Submissions page. Program Owners can then award the correct amount.The following image provides an example of the notification email.Click View Submission Details within the email to view the recent updated amount details.You can also view the updated reward on the Submissions page. Click Accepted at the top of the page.Click on the relevant submission, and scroll down to the latest update to view the corrected amount." } , { "title" : "Getting Rewarded > Getting on a Program's Hall of Fame", "category" : "researcher", "tags" : "", "url" : "/researchers/receiving-rewards/getting-rewarded/getting-on-a-programs-hall-of-fame/", "date" : "", "content" : "Each public program has a Hall of Fame. This is similar to the Leaderboard, except that it features the security researchers who have submitted at least one valid bug report to the program. The Hall of Fame acknowledges the work of researchers who have contributed to a bounty program.To be listed in the Hall of Fame, you must submit a valid bug report. Once the report is in the unresolved or resolved state, Bugcrowd will show your profile (if it is your first bug) or update your profile.Duplicate submissions for P3, P4, and P5 levels are not considered for Hall of Fame.I earned points on a Private Program, but cannot see where I am on the leaderboard?: Because of the nature of a private program, this information is anonymized. Hence, Hall of Fame does not appear for a Private Program." } , { "title" : "Researcher Incentive Programs", "category" : "researcher", "tags" : "receiving-rewards", "url" : "/researchers/receiving-rewards/incentive-programs/", "date" : "", "content" : "Incentive programs are used to recognize and reward the Researcher community. These programs focus on challenging you to achieve new levels of success, and highlighting and celebrating your achievements throughout the year.Incentive programs are evaluated on a quarterly basis. The 2020 quarters correspond with the following dates: Quarter Dates Quarter 1 02/01/2020 - 04/30/2020 Quarter 2 05/01/2020 - 07/31/2020 Quarter 3 08/01/2020 - 10/31/2020 Quarter 4 11/01/2020 - 01/31/2021 P1 Warriors ProgramFinding a valid P1 priority vulnerability must be celebrated – researchers, Bugcrowd, and Program Owners! The P1 Warriors program consists of stacking badges on Researcher profiles, quarterly blog callouts, and swag.When the count of your valid P1 submissions increases, you will achieve new levels of swag.Swag for levels 150, 250, and 500 will be announced later in Quarter 1.Valid P1s are accepted submissions marked as either Unresolved, Resolved, Duplicate, or Won’t Fix. This program started on January 1, 2019, and runs continuously. Researchers have the ability to reach new levels without the counter resetting at any point. This program is not retroactive to submissions prior to January 1, 2019.Bounty Slayers ProgramThis program has been paused for the remainder of the yearThe Bounty Slayer program’s qualifying period for 2020 will run from February 1, 2020 – April 30, 2020.This program encourages you to strive for continued performance, highlighting your ability to maintain a certain number of qualifying, accepted submissions (Resolved and Unresolved, P1-P4) and non-duplicate each quarter.Bounty Slayer has a pretty high bar set for the Standard Rewards. For those Researchers going above and beyond, there’s an additional Power-Up Bonus evaluated twice a year.Standard Reward Qualification Requirements Number of Quarters Qualified Reward 50 Resolved/Unresolved P1-P4 Submissions 1 Quarter $300 50 Resolved/Unresolved P1-P4 Submissions 2 Quarter $400 50 Resolved/Unresolved P1-P4 Submissions 3 Quarter $500 50 Resolved/Unresolved P1-P4 Submissions 4 Quarter $800 If you are able to maintain 50 valid, accepted submissions at the qualifying priority levels (P1 - P4) and submission states (Resolved and Unresolved) non-duplicate each quarter in 2020, then you can earn an additional $2,000!Power Up BonusPower Up Bonus are calculated at the end of Quarter 2 (for both Q1 and Q2) and at the end of Quarter 4 (for both Q3 and Q4). Qualification Requirements Qualification Period Bonus Total of 130 Resolved/Unresolved P1-P4 Submissions within combined Q1/Q2 Q1/Q2 $500 Total of 150 Resolved/Unresolved P1-P4 Submissions within combined Q3/Q4 Q3/Q4 $1000 For Standard Rewards, if you qualify for Standard Rewards in Quarter 1 and Quarter 4, your total reward will be $700 : ($300 + $400).After each quarter, a program update blog post will be published in the following month recognizing the qualifying researchers and your reward amount will be processed accordingly.The Bounty Slayer program qualifying period for 2020 will run from February 1, 2020 – April 30, 2020.This program has been paused for the remainder of the yearMVP ProgramThe MVP program qualifying period for 2020 will run from February 1, 2020 – January 31, 2021.To qualify for MVP, a Researcher must meet the following criteria in a single quarter: Maintain a minimum average accuracy rate of 80% Achieve a priority percentile range for either P1s or P2s above 80% Submit at least 4 qualifying, non-duplicate submissions Have no significant enforcement infractions for six months prior to the end of the qualifying quarter.In 2020, when researcher qualifies in a quarter, they will receive a piece of exclusive MVP swag! The swag increases and better with each quarter.After each quarter, a blog post is created for recognizing qualifying researchers and they are invited to order their MVP swag piece based on the number of quarters they have qualified.We are super excited for this year and seeing all the amazing work you will do, and we cannot wait to celebrate it!. If you have questions, send an email to support@bugcrowd.com." } , { "title" : "Researcher Incentive Programs > Frequently Asked Questions-Incentive Programs", "category" : "researcher", "tags" : "", "url" : "/researchers/receiving-rewards/incentive-programs/frequently-asked-questions-incentive-programs/", "date" : "", "content" : "Resolved and unresolved submissions considered for the incentive programsNo, qualifying with resolved and unresolved submissions is only applicable for the Bounty Slayers program starting in Q3 2019. The P1 Warriors, MVP, and Hall of Fame programs consider all valid submissions.Valid submissions that qualify for the incentive programsFor the P1 Warriors and MVP programs, submissions that qualify are those that have been accepted and are marked as resolved, unresolved, duplicate, or won’t fix. For the Bounty Slayers program, starting in Q3 2019, only resolved and unresolved submissions can qualify.Changes to the Bounty Slayers programThe Bounty Slayers program has evolved over the quarters. In Q1 2019, the qualifying requirements were 10 valid submissions for the Standard reward, and 15 valid submissions for the Power Up reward. In Q2 2019, the qualifying requirements were 40 valid submissions for the Standard reward and 60 valid submissions for the Power Up reward. In Q3, the qualifying requirements are 30 resolved/unresolved submissions for the Standard reward, and 40 resolved/unresolved submissions for the Power Up reward.Collaboration submissions count toward the incentive programsUnfortunately, no. However, we are looking to count collaboration submissions toward the incentive programs in the near future.Recognize researchers for submissions in the gap between researcher incentive programs (July 2018-Jan 2019)Unfortunately, no. We will not be doing anything for that period of time. We realize that this is not ideal, but there was not an easy or great way to transition the MVP program from the previous qualification period to the new one.Non-duplicate submissions applicable for the MVP program3 non-duplicate submissions per quarter, which equals 12 non-duplicate submissions for the entire calendar year for 2019 (January 1, 2019 – December 31, 2019).Rewards for Bounty Slayer and Bounty Slayer Power Up ProgramsThat is up to you! The most you can make is $3,500 if you qualify all quarters in 2019 for the Power Up tier of rewards.Disclose name in a program for private researcher profileNo, but we will list you as a Private User." } , { "title" : "Researcher Incentive Programs > Getting on the Leaderboard", "category" : "researcher", "tags" : "", "url" : "/researchers/receiving-rewards/incentive-programs/leaderboard/", "date" : "", "content" : "Bugcrowd has two Leaderboards which show top statistics for the past month and for all-time. The P1, P2 Leaderboard focuses only on P1 and P2 submissions for programs that offers cash rewards. The P1, P2, P3, and P4 Leaderboard focuses on all submissions with priorities of P1 - P4 for a programs that offers cash rewards. The Leaderboards list the top 10 researchers who have the most points in each category (P1, P2 and P1 - P4), respectively.If you want to be on the Leaderboards, you must find real and critical bugs. Over time, the more valid reports you have, the more points you will earn.Viewing the Leaderboard for the Previous MonthThe researchers recognized on the monthly Leaderboards earned the most points during that month for each category.The monthly Leaderboards reset at the beginning of every month, so every month presents a new opportunity to make it onto the Leaderboards. Happy hunting!To see who has earned the most points on each Leaderboard the previous month, go to the Leaderboard section of your researcher profile.The default view shows the P1, P2, P3, P4 monthly Leaderboard. To view the P1, P2 Leaderboard, select it from the available drop-down menu.Viewing the All-Time LeaderboardThe all-time Leaderboards show the top 10 researchers for each category who have earned the most points since the beginning of Bugcrowd time. These are the hardest working, most active, and most awesome researchers in the Crowd.To see who has the most total points, go to one of the Leaderboards and choose All Time.Share Your Success On Facebook and TwitterThe leaderboard provides a quick share link at the bottom of the leaderboard so you can share your success on Bugcrowd with the rest of the worldTo share on Facebook, click the Facebook link as shown below.To share on Twitter, click the Twitter link as shown below." } , { "title" : "Researcher Incentive Programs > Researcher Achievement Badges", "category" : "researcher", "tags" : "", "url" : "/researchers/receiving-rewards/incentive-programs/viewing-achievements/", "date" : "", "content" : "Badges indicate levels of accomplishment each researcher has achieved on the Bugcrowd platform. These badges will be displayed on your public and private profile. Each badge type has a set of levels which researchers can progress through, climbing up that badge’s leaderboard over time.The badges are grouped into the following badge sets: P1 Warrior: Awarded for valid P1 submissions on any program, since January 1, 2019 Bounty Bee: Awarded for each program with at least one valid submission. Collaboration Crusader: Awarded for the number of unique collaboration groups with accepted submissions. Submission Shogun: Awarded for the total number of valid submissions across all programs.The Bounty Bee, Collaboration Crusader, and Submission Shogun badge levels reflects All-Time stats.In case of collaboration: Consider the example: Researcher A has a submission with researcher B. This counts as one unique group. You will earn another point for bringing in a third researcher on a separate submission with up to 5 collaborators available. Submission Shogun and P1 Warrior will receive a percentage of the submission based on the percentage defined by the primary researcher for each collaboration. For example, if the submission is split 50/50, each researcher receives 0.5 of a submission. Bounty Bee and Collaboration Crusader will receive the bounty or collaboration percentage only if the researcher has a 20% or greater share of the collaboration.Viewing BadgesYou can view your badges in the Achievements section in your profile. The Leaderboard rank section indicates your performance among your friends and peers by displaying your current position within that badge type.Click See all achievements.The following are displayed: Unlocked badges: Displays the badges you have already achieved. In-progress badges: Displays the badges that you can achieve if you meet a few more criteria. Locked badges: Displays the badges you have not achieved.In the Leaderboard rank section, click on any rank.The Leaderboard page displays the top 25 ranking researchers for a badge set. For example, if you have clicked Bounty Bee rank (in Leaderboard rank section) in the preceding screen, then the Leaderboard page provides description of Bounty Bee at the top of the page and the top 25 ranking researchers in the Bounty Bee badge set.You can also select a badge set from the drop-down menu and view the top 25 ranking researchers for that badge set.Badge Sets, Criteria, and LevelsThe following table provides the type of badge set, the criteria that must be met to achieve that badge and the associated levels based on the number of submissions. Badge Set Criteria Level P1 Warrior Valid P1 submissions with status unresolved, resolved, and won’t fix. Submissions that use collaboration are eligible for this badge type. Level 1 = 1 P1 Submission Level 2 = 5 P1 SubmissionsLevel 3 = 10 P1 SubmissionsLevel 4 = 25 P1 SubmissionsLevel 5 = 50 P1 SubmissionsLevel 6 = 100 P1 SubmissionsLevel 7 = 150 P1 SubmissionsLevel 8 = 250 P1 Submissions*Level 9 = 500 P1 Submissions Bounty Bee Bounties with valid submissions with status unresolved, resolved, and won’t fix. Submissions that use collaboration are eligible for this badge type. Level 1 = 1 BountyLevel 2 = 5 BountiesLevel 3 = 10 BountiesLevel 4 = 25 BountiesLevel 5 = 50 BountiesLevel 6 = 100 BountiesLevel 7 = 250 BountiesLevel 8 = 500 BountiesLevel 9 = 1000 BountiesLevel 10 = 1500 Bounties*Level 11 = 2000 Bounties Submission Shogun Valid submissions with status unresolved, resolved, and won’t fix. Submissions that use collaboration are eligible for this badge type. Level 1 = 1 SubmissionsLevel 2 = 5 SubmissionsLevel 3 = 10 SubmissionsLevel 4 = 25 SubmissionsLevel 5 = 50 SubmissionsLevel 6 = 100 SubmissionsLevel 7 = 250 SubmissionsLevel 8 = 500 SubmissionsLevel 9 = 1000 SubmissionsLevel 10 = 2500 SubmissionsLevel 11 = 5000 SubmissionsLevel 12 = 7500 SubmissionsLevel 13 = 10000 SubmissionsLevel 14 = 12500 SubmissionsLevel 15 = 15000 SubmissionsLevel 16 = 17500 Submissions*Level 17 = 20000 Submissions Collaboration Crusader Unique collaborating groups are submissions with one or more collaborators. You only get Unique Collaboration Group points per group and not based on the number of submissions. Valid submissions with status unresolved, resolved, and won’t fix. Level 1 = 1 unique submission collaboration (unique collaborating group)Level 2 = 5 unique submission collaborationsLevel 3 = 10 unique submission collaborationsLevel 4 = 25 unique submission collaborationsLevel 5 = 50 unique submission collaborationsLevel 6 = 100 unique submission collaborations " } , { "title" : "Commenting on a Submission", "category" : "researcher", "tags" : "submission-management", "url" : "/researchers/reporting-managing-submissions/commenting/", "date" : "", "content" : "Program owners can use comments to communicate with you on your submissions. Generally, you will receive a comment on your submission if you need to provide more information or clarify something in your report.When you receive a new message, you will receive an e-mail notification that someone commented on your submission. You can click on the link in the e-mail or log in to Bugcrowd to respond.You can either send a private message to Collaborators and Bugcrowd team or send a message to everyone involved in this submission.To respond to a comment: Go to the submission for which you want to add or respond to a comment. In the Activity &gt; Send a message section, select one of the following based on your requirement: Everyone - Send comment to everyone involved in the submission and the general public (if you choose to disclose the report) Bugcrowd - Send comment as a private message to collaborators and the Bugcrowd team. In the text box, type the message. You can style your text using the Markdown syntax. For more information, see using markdown for formatting content. To add attachments, click Add Attachments. For more information, see uploading attachments to your comments. Click Send message to send the message. Uploading Attachments to Your CommentsThere may be times when a program owner will request more information from you or ask that you further demonstrate your findings. To provide additional evidence of your findings, you can attach a file, such as video, image, or PDF, to your comment when you respond to the program owner. This makes it easy for you to share sensitive information without uploading it to a third party, like Vimeo or YouTube.Supported file types include: .avi .gif .jpg .mov .mpeg .pdfMaximum Video Size: Videos must not exceed 20 MB.Using Syntax HighlightingIn your submissions, you can add syntax highlighting to your code blocks so that they are easier to read. For example:puts "Highlight me!"To enable syntax highlighting, you’ll need to create a fenced code block by adding triple back ticks before and after the code block and and specifying the language that you’re using.For the previous example, the markdown for the fenced code block looks like this: ```ruby puts "Highlight me!" ```For more information on syntax highlighting and the supported languages, see syntax highlighting.Editing a CommentEditing prior to notifications: If you are able to edit the comment within two minutes after adding the comment, then the notifications to other users around the comment will use the updated text. Integrations will trigger right away and will not receive the updated text.To edit a comment, click the … icon on the right side of the comment and click Edit.Make the required changes and click Save Comment.The “Comment Updated” message is displayed.Deleting a CommentYou can delete comments and/or private notes.To edit a comment, click the … icon on the right side of the comment and click Delete.A pop-up message asking for confirmation is displayed. Click OK.The comment is deleted and [DELETED] is displayed in the activity feed." } , { "title" : "Public Disclosure Policy", "category" : "researcher", "tags" : "submission-management", "url" : "/researchers/reporting-managing-submissions/disclosure/", "date" : "", "content" : "Vulnerability Disclosure at BugcrowdBugcrowd believes that the coordinated, orderly, public disclosure of vulnerabilities is a healthy and important part of the vulnerability disclosure process. The following disclosure policies apply to all submissions made through the Bugcrowd platform (including New, Triaged, Unresolved, Resolved, Duplicates, Out of Scope, Not Applicable, and Won’t Fix submissions). Program Owners and researchers are encouraged to work together for sharing information in a mutually agreed manner. This section explains disclosure options at Bugcrowd to both Program Owners and Crowd members.Additional Resources: Standard disclosure terms Code of conduct Terms of service Researcher resourcesCoordinated DisclosureCoordinated Disclosure is the default recommended policy for all new public programs, and is strongly recommended but optional for ongoing private bounty programs. In this model, Program Owners commit to allowing researchers to publish mutually agreed information about the vulnerability after it has been fixed. Program Owners require explicit permission to disclose in the submission record. This applies to all the submissions for the program, regardless of validity or acceptance.In the principle of Bugcrowd’s Coordinated Disclosure, researchers can externally disclose limited or full disclosures approved by Program Owners.Bugcrowd’s Coordinated Disclosure allows Program Owners and Researchers to work through the disclosure process, during which, all parties must agree for a date and the disclosure level (limited or full) for a vulnerability or exploit to be disclosed. Once the vulnerability or exploit is disclosed on Bugcrowd’s platform, the Researcher can disclose the vulnerability or exploit publicly as long as it adheres to the agreed type of disclosure - limited or full, and any other parameters agreed for the disclosure.NondisclosureNondisclosure is the default policy for OnDemand and continuous Next Generation Penetration Testing. It is common in private bounty programs. In the absence of a Coordinated or Custom Disclosure policy (or in the case of any ambiguity) the expectation of the Researcher and the Program Owner is nondisclosure. This is documented in our standard disclosure terms and researcher code of conduct. **This means no submissions may be publicly disclosed at any time and is designated by the following text in the program bounty brief:Custom DisclosureIn some cases, Bugcrowd customers customize disclosure requirements in their bounty brief. An example of that is Tesla, which states:Program DisclosureThe existence or details of private programs must not be communicated to anyone who is not a Bugcrowd employee or an authorized employee of the organization responsible for the program.If there is a conflict between the disclosure terms listed on a Program’s brief and the Bugcrowd Standard Disclosure Terms, the Program Brief supersedes the Bugcrowd’s terms. If you have any questions, send an email to support@bugcrowd.com.Accidental Disclosure: Insecure POC video sharingIt is recommended to include a video or screenshot as Proof-of-Concept in your submissions. These files should not be shared publicly. This includes uploading to any publicly accessible websites (that is, YouTube, Imgur, and so on). If the file exceeds 100MB, upload the file to a secure online service such as Vimeo, with a password. For more details, see reporting a bug documentation." } , { "title" : "Public Disclosure Policy > Disclose.io and Safe Harbor", "category" : "researcher", "tags" : "", "url" : "/researchers/reporting-managing-submissions/disclosure/disclose-io-and-safe-harbor/", "date" : "", "content" : "Disclose.iodisclose.io is a collaborative, open source and vendor-agnostic project to standardize best practices for providing a safe harbor for security researchers within bug bounty and vulnerability disclosure programs. The disclose.io legal framework is designed to balance: Legal completeness Safe harbor for security researchers Safe harbor for program owners Readability for those who do not have a legal background or who do not speak English as the first languagePrograms displaying the disclose.io logo are committing to a set of core terms that is focused on creating a safe harbor for good-faith security research. To uphold this commitment, Bugcrowd recommends Program Owners provide the following: Scope: An exhaustive list of In-Scope properties that the organization is explicitly providing safe harbor for the good-faith security testing, and optionally, a non-exhaustive list of Out-of-Scope properties that the organization strongly wants to discourage testing (on top of the implicit lack of safe harbor or authorization for security testing). Rewards: Indicate whether compensation will be provided for valid and unique issues and the form and magnitude of that compensation. Official communication channels: An exhaustive list of the communication methods that are considered acceptable by the organization for receiving and communicating about any information associated with potential vulnerabilities. Disclosure policy: An explicit policy outlining the conditions under which the existence and/or details of a reported issue may be disclosed to third parties. Examples include: Coordinated Disclosure: Vulnerability details may be shared with third parties after the vulnerability has been fixed and the Program Owner has provided permission to disclose. Discretionary Disclosure: Vulnerability details may be shared with third parties only after requesting and receiving explicit permission from the Program Owner. Non-Disclosure: Vulnerability details (and the existence of the program itself if private) cannot be shared with third parties. Safe HarborFull safe harbor status (Safe harbor) is granted to programs that are committing to all the requirements mentioned in the preceding section. above. Programs that have not met all the requirements for providing full safe harbor (example, do not sufficiently define the terms as outlined in the requirements) are granted partial safe harbor status (Partial safe harbor), which does not represent the same level of commitment as full safe harbor.You can view whether a program is committed to providing safe harbor in both the Program briefs and the Program page.Safe harbor icons in Program page.Full safe harbor icon in Program Brief.Partial safe harbor icon in Program brief." } , { "title" : "Public Disclosure Policy > Disclosing Submissions", "category" : "researcher", "tags" : "", "url" : "/researchers/reporting-managing-submissions/disclosure/disclosing-submissions/", "date" : "", "content" : "Submission reports that have been approved for Coordinated Disclosure can be shared externally. In addition, disclosed reports are visible to the public in CrowdStream and contain a summary that you and the Program Owner have provided; this disclosure summary includes information such as program name, submission title, reward amount, VRT priority, and a timeline of activity in this submission.You can request a disclosure only if the Program Owner has enabled disclosure in CrowdStream setting. By default, the Coordinated disclosure option is enabled. For more information, see enabling disclosed submissions in CrowdStreamIt is recommended to submit disclosure request for resolved vulnerabilities.When you create, update or cancel the disclosure request, the Program Owner is notified. The Program Owner may choose to request changes to your summary, decrease your preferred disclosure level or deny disclosure. When the disclosure request is approved or denied, you will be notified and the Disclosure request section in the submission displays the notification message.Requesting DisclosureGo to Submissions tab, click the submission for which you want to disclose the report, and click Request disclosure. Make sure to read the public disclosure policy.Adding Disclosure SummaryIn Disclosure summary, provide the details of your submission. You can style your text using the Markdown syntax. For more information, see using markdown for formatting content.Selecting Disclosure LevelIn Disclosure level, select one of the following options: Full visibility: Full report details are visible to the public. It includes vulnerability information, summary, and complete timeline (comments and attachments). Limited visibility: Summary and timeline with comments are visible to the public.Submitting Disclosure RequestAfter providing the disclosure summary and selecting the disclosure level, click Submit request.The Disclosure request submitted message is displayed. The status of the disclosure is changed to Pending review. A notification is sent to the program owner to approve the request.After the program owner approves the disclosure request, the submission will be displayed in CrowdStream activity feed.The following image shows a disclosed submission in CrowdStream. The user name and the reward amount is displayed based on your CrowdStream settings. For more information about CrowdStream settings, see setting CrowdStream visibility options.Editing Submitted Disclosure RequestBefore approving your request, Program Owners may request changes to your summary or you may want to update the summary and resend the request.To edit the submitted disclosure request, click Edit summary.Update the Disclosure summary and select the Disclosure level (if required) and click Save summary.The Disclosure request updated message is displayed. A notification is sent to the Program Owner.Cancelling Submitted Disclosure RequestTo cancel a submitted disclosure request, click Cancel request as shown.The following pop-up message is displayed. Click Cancel request.The Disclosure request cancelled message is displayed. Also, the message as shown in the following image is displayed for the submission.Viewing Approved or Denied Message from Program OwnerWhen the Program Owner approves the disclosure request, the following message is displayed in the Disclosure request section of the submission.You can click View disclosed report to view the submission report that is published. The following screenshot shows a disclosed report with full visibility.The following screenshot shows a disclosed report with limited visibility.When the Program Owner denies the the disclosure request, the following message is displayed in the Disclosure request section of the submission." } , { "title" : "Making an Appeal on a Submission", "category" : "researcher", "tags" : "submission-management", "url" : "/researchers/reporting-managing-submissions/making-an-appeal/", "date" : "", "content" : "In Beta: Making an appeal on a submission is in a Beta phase and thus it is not available for all researchers. For more information, send an email to support@bugcrowd.com.Researchers can opt to have their submissions reviewed by a Senior Application Security Engineer if they do not agree with the state, priority, or reward that has been provided. This applies to any submission made within the last year through the Bugcrowd platform, even those that have multiple collaborators. An email notification is sent to Bugcrowd and the request for appeal is assigned to a different Triage Team member at Bugcrowd.In Beta: You can make only one appeal per submission and the submission state must be Unresolved, Resolved, Wont Fix, Not Reproducible, Not Applicable, or Out of Scope.To make an appeal: Open the submission for which you want to make an appeal. On the right-side, in Appeals section, click Make an appeal. The Reason for appeal window is displayed. From the Reason drop-down menu, select a reason: Scope Priority Duplicate Reward amount Other In Details of appeal section, provide detailed information about why you are making the appeal. You can include any or all relevant submissions. You can style your text using the Markdown syntax. For more information, see using markdown for formatting content. In Suggest a solution section, provide a solution, which you think is good for the problem. Click Submit appeal. The Appeal submitted message is displayed and the status of the appeal is displayed as Under investigation as shown. If your suggestions to change the outcome of your submission are approved, then the appeal displays the “Appeal granted” status. If the appeal is denied or rejected, the status changes to Appeal denied as shown. " } , { "title" : "Reporting a Bug", "category" : "researcher", "tags" : "submission-management", "url" : "/researchers/reporting-managing-submissions/reporting-a-bug/", "date" : "", "content" : "When you find a bug or vulnerability, you must file a report to disclose your findings.Generally, you have to explain where the bug was found, who it affects, how to reproduce it, the parameters it affects, and provide Proof-of-Concept supporting information. You can upload any files or logs as supporting evidence. This not only helps quickly reproduce the issue but moves your submission through the review process faster, with no delays due to missing information.The report must contain the following information at a minimum: Section name Description Info This will be the title of your report, and should describe the type of bug found, where it was found, and the overall impact. For example, “Remote File Inclusion in Resume Upload Form allows remote code execution” is much more descriptive and helpful than “RFI Injection found.” Target The Target field identifies the specific target affected by the bug you have found. Technical Severity The Vulnerability Rating Taxonomy Classification identifies the kind of bug you have found based on our VRT, our baseline priority rating system for common bugs found on bug bounty programs. It is important that you choose the correct type so that the organization understands the risk the bug presents them. The severity rating suggested by the VRT is not guaranteed to be the severity rating applied to your submission once impact has been considered. Vulnerability details This section should include the following information: - Bug URL: The bug URL identifies the location in the application where you discovered the bug. - Description: Your report must include clear and descriptive replication steps so that the organization can easily reproduce and validate that your findings. - Additional information: Provide additional context. Explain what it is that you have discovered and describe the risk and impact to the specific Program Owner what you discovered and describe the impact and risk. - Screenshots or videos: Provide illustrative evidence in the form of screenshots or videos that shows proof of the vulnerability. This is one of the most impactful things you can do to provide context around your submission. We strongly recommend you provide this every time you submit. Creating a Vulnerability Report From the bounty brief, click Submit Report. When the report form appears, enter a name for the report in the Info field. The summary should be descriptive and concise. Choose the target that is affected. If you do not see the target listed, choose Other. Out of Scope Targets: Before selecting Other, see the program’s brief and make sure that the affected target is not listed as Out of Scope or does not include other similar instructions. Submitting against a target that is listed as Out of Scope will result in a -1 point adjustment. Repeatedly testing outside the approved scope will result in loss of program access or platform privileges. Select the Technical Severity of the vulnerability. This drop-down displays the options based on VRT (Vulnerability Rating Taxonomy). You can type to filter the list by match. Enter the location of the vulnerability, such as the URL. Enter organized, clear, and descriptive steps to reproduce the vulnerability so that the assigned Application Security Engineer can easily reproduce and validate your findings. When the number of characters that you can type is 25 or fewer, a word counter is displayed warning you that you are reaching the maximum limit. It indicates the number of characters you can continue to type. The maximum limit is 10000 characters. Input a Trace Dump or the HTTP request. It is strongly recommended to upload illustrative evidence that shows proof of the vulnerability, preferably in the form of a POC video showing the vulnerability in the Program Owner’s system or screenshots at minimum. Verify that you have followed all requirements of the program brief and that you agree to abide by the Bugcrowd terms and conditions. Click Report Vulnerability to submit the report. Bugcrowd sends you an e-mail that confirms that your submission is received. When the status of the report changes or someone comments on your report, you will be notified through an e-mail or through your submission. Make sure that you promptly respond to any assigned blockers on your submissions, as it mean that more information is required to process your report. Uploading an Image or VideoIt is important to include as much information as possible to help the person reviewing your submission understand the issue, reproduce the issue, and identify how to fix it.Screenshots and Proof-of-Concept (POC) videos provide clear and exact replication steps for your submission. If you have recorded your session or have any file that can be used as evidence, upload it to the submission as a file attachment. All file types are supported, but individual upload size must be less than 100MB. You can upload up to five files.Click here for detailed instructions on how to upload video or images with your submissions.Writing a Good Bug ReportWhen you are writing a bug report, it is important to understand the audience who will be reading your report. Bugcrowd and Program Owner Analysts may not have the same level of insight as you for the specific vulnerability. So, provide clear, concise, and descriptive information when writing your report. Organize your information Clear explanations: Order your report in the exact progression of steps in order to replicate the vulnerability successfully. Explain with clarity: It is so important that you write your report with purpose. Help the reader understand the security impact, replication steps, and the actions that need to be taken to address the issue, so that the submission can be processed quickly without the need for additional information. Well documented attack scenarios: Attack scenarios indicate the impact of the vulnerability. For example: “This vulnerability affects all users of your forum. When a user signs up, and enters a username of XYZ@customer.com and a password of XYZ@customer.com, then their username is accepted. An attacker can use this vulnerability in conjunction with a username enumeration issue to bruteforce forum usernames and passwords.” For more resources on writing bug reports, see the following blogs: Video: Bugcrowd University - How to make a good submission Blog: Writing Successful Submissions Bug Hunter Methodology ResourcesReview the Disclosure Policy for the ProgramIt may be tempting to share your findings with others, but remember that the existence or details of private or invitation-only programs must not be communicated to anyone who is not a Bugcrowd employee or an authorized employee of the organization responsible for the program.All submissions made through the Bugcrowd platform, including Duplicates, Out of Scope, and Not Applicable submissions are covered by the Bugcrowd Standard Disclosure Terms, and vulnerability cannot be shared without permission or unless otherwise explicit stated on the Program’s brief. Program Owners may select Nondisclosure, Coordinated Disclosure, or Custom Disclosure policies, and list these on their program brief. If you do not keep vulnerability data private, it is considered an unauthorized disclosure, and may result in loss of program access or platform privileges." } , { "title" : "Reporting a Bug > Embedded images for Submissions and Comments", "category" : "researcher", "tags" : "", "url" : "/researchers/reporting-managing-submissions/reporting-a-bug/embedded-images-for-submissions-and-comments/", "date" : "", "content" : "Embedding images directly into the markdown fields of a submission or comments enables you to provide more detailed reports that are easier to review and understand.Supported Files: While assets up to 100MB can be uploaded, only those at or less than 2MB can be embedded into the report. The supported file types are GIF, JPEG, and PNG.Adding an embedded imageTo embed an image to your submission or comment, follow the reporting a bug workflow, until you reach step 8: “We strongly recommend uploading illustrative evidence that…”. Click Add attachment and select your file, then click Open to begin the upload process. Once the file has finished loading onto the platform, click the clipboard icon next to the image file you want to embed into your report. This will automatically copy the markdown you need. Paste the copied markdown code into the appropriate location within your submission report. Repeat the same for additional images. If required, preview the image in the submission. Return to to the reporting a bug workflow, or continue with your comment as appropriate. " } , { "title" : "Reporting a Bug > Researcher Collaboration", "category" : "researcher", "tags" : "", "url" : "/researchers/reporting-managing-submissions/reporting-a-bug/submission-collaboration/", "date" : "", "content" : "You can have shared access to a submission as collaborators, allowing all collaborators to view, comment, upload files to a submission, and split the monetary and point rewards.To collaborate on a submission: Click Submit Report at the top of the bounty page. Specify the vulnerability information and add the researchers with whom you want to collaborate. You can look up other researchers based on their Bugcrowd usernames and add up to 10 collaborators for a single submission. Click on the red trash can to delete a collaborator. Collaborators and rewards are not adjustable after submitting: Once the submission is submitted, collaboration fields are frozen and cannot be edited. If there are issues, send am email to support@bugcrowd.com. The reward can be split among all the collaborators based on percentage. The total percentage across all collaborators must equal 100%. ![collaboration-percent](/assets/images/researcher/collaboration/collaboration-percent.png) An error message is displayed if the percentages do not add up to 100%. ![error](/assets/images/researcher/collaboration/error.png) Once collaborators are added and the reward percentages are set, click Report Vulnerability. An email notification will be sent to all collaborators to notify them they have been invited to collaborate on a submission. In your collaborative submissions, you can view your rewards split based on the pre-determined percentages. " } , { "title" : "Retesting Submissions", "category" : "researcher", "tags" : "submission-management", "url" : "/researchers/reporting-managing-submissions/retesting-submissions/", "date" : "", "content" : "In Beta: Retesting submissions through the following workflow is in a Beta phase and thus limited to a subset of programs. Hence, only a subset of researchers are rewarded for completing retests today. For more information, send an email to support@bugcrowd.com.When the customers request a retest for the issues they have mitigated, fixed a vulnerability, or chain of vulnerabilities, researchers perform retest on submissions to make sure they are patched successfully.Researchers will perform a retest to check whether the same vulnerability still exists or if there is a modified variant of that vulnerability. A retest may also be required when a new release of an application is pending, and the customer wants to make sure that there are no regressions.Usually, the following individuals receive the retest request for submissions: Researcher who has submitted the vulnerability Researcher who has submitted a similar submission (Duplicate Submission) Collaborators of a submission (if any)Receiving Request for RetestWhen a customer requests for retesting a submission, the researcher receives an email notification. The researcher can either access the submission from the email notification or from the Submissions tab.The notification message includes the reward amount that the researcher will be paid for submitting the retest results and the date by when the retest must be completed.A sample email notification is as shown.Researcher can view the retest option on the Submission Details page.Starting RetestWhen the customer requests the retest, the researcher can either accept and start the retest or reject the retest.To start the retest, go to the Submission Details page and click Start retest.Submitting Retest ResultsYou can submit the test results based on the following: Whether you were able to reproduce this vulnerability exactly as described in the original submission If you found a workaround or new related vulnerability, excluding the vulnerability described in the exact steps in the original submission Summary of how you retested this vulnerability. You can style your text using the Markdown syntax. For more information, see using markdown for formatting content.After answering the questions, click Complete retest.If you want to complete the retest later, then click Maybe later. However, if you have answered any of the retest questions, then they will not be saved.The retest results are submitted to the customer.If the researchers do not complete the retest within a defined period of time, then the submission is reassigned for retest to the next researcher in the responsibility chain who does not have a pending retest. A notification is sent to the researcher indicating that the retest has expired and the submission will be assigned to another researcher (or a Bugcrowd ASE).In the Activity Feed, a researcher can view the retest history performed by themselves or collaborators but cannot view the activity for the retest assigned to the second researcher or their collaborators.Rejecting Retest RequestIf you do not want to perform the retest, click Reject retest.A retest rejection message is displayed and a notification is sent to the customer that the researcher has declined the retest request.Retesting Duplicate SubmissionIf there is a duplicate submission, then the retest request can be sent only for the parent submission and not for the duplicate submission. The researcher who submitted the parent submission and the researcher who submitted the duplicate submission receives the retest request.Retesting Collaborative SubmissionIn case of collaborative submission, depending on the defined reward split percentage only two researchers will receive the retest request. For example, if the reward percentage for the researchers is defined as 50%, 30%, and 20%, then the researchers with 50% and 30% will receive the retest request.If one of the collaborator does not accept the request, then the next collaborator in the queue will receive the retest request." } , { "title" : "Submission Page", "category" : "researcher", "tags" : "submission-management", "url" : "/researchers/reporting-managing-submissions/submission-page/", "date" : "", "content" : "The Submissions page provides a snapshot of the vulnerabilities you have reported.You can view the current state of a submission, the number of comments, accepted submissions, the amount and points rewarded.From this page, you can: Filter and view your submissions by status View the submission details and communicate with Bugcrowd and the customer through comments Monitor and address any blockers. View the amount you are paid for the filtered submissions. View the total points you have earned, points earned individually (solo), and points earned from collaboration for the filtered submissions.Finding a Specific SubmissionUsing the search bar on the page, you can select a pre-defined filter to find submissions based on their current status or you can build your own by specifying exact variables.If you need information about the search operators, click Search Help.Monitor Submission ActivityTo view a submission’s details, click on the required submission. You will be able to view the history of all events logged for that submission, in the order in which they occurred, and comments you have added, the Bugcrowd team, or the Program Owner(s).Activities tracked include: Adjustments made to a submission’s priority Changes to the submission status Monetary and point rewards Any comments made on the submissionCommenting on a SubmissionProgram owners and the Bugcrowd team use comments to communicate with you on your submissions. Generally, you will receive a comment on your submission if you must provide additional information in your report. This is required to complete the triage process.When a submission receives a new comment or has a blocker, an e-mail notification is sent to you. You can click on the link in the e-mail or log into Bugcrowd to respond.To respond to a comment, go to the submission, and add your comment in the text box as shown.Click Send Message to send your response.BlockersSubmission blockers notify you if a user is blocked and requires an action or additional information from you to proceed. For more information, see blockers." } , { "title" : "Submission Page > Filtering Submissions", "category" : "researcher", "tags" : "", "url" : "/researchers/reporting-managing-submissions/submission-page/filtering-submissions/", "date" : "", "content" : "You can use filters to view submissions that match a particular set of criteria. For example, you can query submissions that you may need to follow up, such as the submissions that have been identified as valid but the researcher is not yet rewarded.To filter your submissions, create a query using filter keys.Filter KeysFilter keys narrow your submissions to a specific set of results.The following table provides the filter keys and the possible values. Key Value Notes duplicate true or false Filter submissions based on whether the submission is a duplicate of another submission or not. payments none or present Returns submissions based on whether payments are set or not set. points none or present Returns submissions based on whether points have been assigned. program   Matches the Bounty code that is present in the URL path, such as bugcrowd, mastercard, and so on. Supports negative search. program-status live, closed, or invited Returns submissions based on their program status. severity 1-5, none or present Displays submissions based on the severity assigned. Supports negative search. sort updated-asc, updated-desc, points-asc, points-desc, submitted-asc, submitted-desc, payment-asc, or payment-desc Displays the submissions based on the sort order. source email, external_form, or platform Returns submissions based on their originating source, such as through email, external form, or program brief. Supports negative search. state new, triaged, wont-fix, not-applicable, out-of-scope, unresolved, or resolved Shows submissions based on the current status. Supports negative search. target   Displays submissions based on the target name. Supports negative search. target-type website, api, mobile, iot, ios, android, hardware, or other Displays submissions based on the target type. submitted YYYY-MM-DD, &lt; YYYY-MM-DD, or &gt;YYYY-MM-DD Returns submissions that were submitted during the specified date range. payment-date YYYY-MM-DD, &lt; YYYY-MM-DD, or &gt;YYYY-MM-DD Returns submissions that were paid on, before, or after the specified date. points-awarded-date YYYY-MM-DD, &lt; YYYY-MM-DD, or &gt;YYYY-MM-DD Returns submissions that were awarded points on, before, or after the specified date. vrt application-level-denial-of-service-(dos), application-level-denial-of-service-(dos)/app-crash, application-level-denial-of-service-(dos)/critical-impact-and-or-easy-difficulty, application-level-denial-of-service-(dos)/high-impact-and-or-medium-difficulty, broken-access-contro-(bac), broken-access-contro-(bac)/exposed-sensitive-android-content, broken-access-contro-(bac)/exposed-sensitive-android-content, broken-access-contro-(bac)/insecure-direct-object-references-(idor), broken-access-contro-(bac)/server-side-request-forgery-(ssrf),broken-access-contro-(bac)/username-enumeration, broken-authetication-and-session-management, or broken-authentication-and-session-management/authentication-bypass Returns submissions based on the VRT category or subcategory for the submissions you have created. Filter SyntaxTo create a query, use the following syntax: &lt;filter key&gt;:&lt;value&gt;.Make sure you include a colon after the filter key and do not include any spaces between the filter key and value.You can enter multiple filter key/value pairs in the query, such as: state:new program:bugcrowd.By default, the query includes sort:submitted-desc, which sorts your submissions in descending order based on the dates they were submitted. You can remove or replace this filter key/value.Filter LogicThere is an AND operator between unique filter keys. However, multiple instances of the same filter key use the OR operator. For example, state:new state:triaged program:bugcrowd returns all submissions that have a state of either triaged or new and is part of the Bugcrowd program.Negative SearchA few filters allow negative search, which allows you to find values that do not meet the specified value. To perform a negative search, add a - before the key, such as -state:triaged.You can perform a negative search with the state, program, and target filter keys.Building a QueryTo help you build a submissions query, a list of available filter keys will appear when you click in the search field. After you select a filter key, the search field will show you possible values based on your selection.You can use as many key/value combinations as required. There is an AND operator between unique filter keys and an OR operator between multiple instances of the same filter key.As you add filter key/value pairs to the query, the results automatically refresh to display the latest results.If you input an invalid filter key or query, no submissions will be returned. Review your query for any errors if the results do not show the expected submissions.Preset QueriesPreset queries let you quickly find submissions that are pending, accepted, or are duplicates. Click on the filter and the query will display in the search field.The following preset queries are available. Query Filters Description Pending state:new state:triaged Finds submissions that have yet to be accepted or rejected. Accepted state:unresolved state:resolved Shows submissions that have a resolved or unresolved status. No Reward state:wont-fix state:out-of-scope state:not-applicable state:not-reproducible Returns submissions that have been rejected. Duplicate duplicate:true Looks for submissions that have been marked as a duplicate. " } , { "title" : "Submission Page > Blockers", "category" : "researcher", "tags" : "", "url" : "/researchers/reporting-managing-submissions/submission-page/submission-blockers/", "date" : "", "content" : "Blockers flag submissions that require input from other users on CrowdControl. They are generally requests for information from Bugcrowd ASEs or customers who want to clarify any issues and unblock progress on a submission. For example, if the steps to reproduce an issue are incomplete or unclear, an ASE may ask you to provide additional details or context.Blockers help ASEs or customers collect much-needed information and provide better visibility into the submission’s current state. Each time a blocker is created or resolved, the activity is logged in the submission’s activity feed.View Blocker AlertsTo help you identify submissions that are blocked, an alert can be seen directly from your submissions page. The alert notifies you that the submission has been marked by a Bugcrowd ASE or customer as blocked and needs something from you.On the submission, the blocker is displayed at the top as a page alert. The page alert includes a brief description and identifies who has blocked the submission. For example, “Waiting on the researcher to provide information” indicates that the ASE is waiting for a response.Bugcrowd ASEs will provide further context of the blocker in a comment in the activity feed.Search for BlockersGenerally, submissions that transition between the New and Triage states may require more information as they are being reviewed. Therefore, blockers will appear more often on submissions in these two states.To easily find blockers, you can filter your submissions using the blocked-by. You can then filter by submissions blocked by anyone, customers, researchers, or Bugcrowd operations. You can also search for unblocked submissions.For more information on filtering submissions, see filtering submissions.Resolve BlockersTo resolve a blocker, you must provide the information in a comment on the submission, select the Notify Bugcrowd Operations that the blocker is resolved option, and then click Send message.After you resolved the blocker, it will be updated on the activity feed and a green checkmark icon will indicate the blocker has been resolved.If you have already replied with the requested information, and have forgotten to clear the blocker in the same action, please comment again, indicating you are doing so to clear the blocker.nnFailing to clear the blocker may delay an otherwise timely response to submission as the ASE or Program Owner may not click into the submission itself if they see that the Blocker is still in place." } , { "title" : "Submitting Vulnerability Using Embedded Form", "category" : "researcher", "tags" : "submission-management", "url" : "/researchers/reporting-managing-submissions/submitting-vulnerability-using-embedded-form/", "date" : "", "content" : "Researchers can easily submit vulnerability reports within our Customer’s websites and apps to Bugcrowd without signing into Bugcrowd. An example of this embedded form is available at https://www.bugcrowd.com/hackme-external-form/.Hack Me program is setup for testing Bugcrowd functionality from a researcher perspective. If you submit vulnerabilities using the Hack Me embedded form, it will not be reviewed or triaged. To submit actual vulnerabilities found on Bugcrowd, submit them to the Bugcrowd program and not the HackMe form.In the form, provide the vulnerability details such as technical severity, detailed description, vulnerability location, trace/HTTP dump, and any other additional information. You can provide your email address to receive updates for the reported vulnerability and a claim ticket. Later, you can use this claim ticket to log in to Bugcrowd to receive the reward for your submission.Reporting VulnerabilityTo report a vulnerability on an external form found in the wild: Fill in the form with the relevant information. Field Sub Field Details Info   Provide a summary about the vulnerability. Technical severity   Select the vulnerability type. Based on Bugcrowd’s Vulnerability Rating Taxonomy (VRT), a baseline technical severity rating is assigned. Vulnerability details URL/Location of vulnerability Provide the URL or location of the vulnerability.   Description Provide detailed description about the vulnerability. It can include information such as security impact, replication steps, proof of concept, or any other details.   Trace dump/HTTP request Specify the trace dump or HTTP request.   Any additional information Provide additional information that is relevant to the submitted vulnerability. Attachments   Click Add Attachments and upload images or videos related to the vulnerability. For example, demo of the replication steps, proof-of-concept scripts, screenshots, or any other relevant images or videos. You can attach multiple files (up to five). Each file size must be less than 100MB. Email   Provide your email address for receiving an email that allows you to claim the submission on . You can provide an email ID that is already registered with Bugcrowd or provide any other email ID.     Confirmation   Select I agree to the Bugcrowd terms &amp; conditions as well as any additional rules and instructions provided by the organization hosting this program option. Click Report Vulnerability. The Your submission has been received message is displayed along with the submission ID. Also, you will receive an email for claiming your submission. Receiving Email NotificationsYou will receive notification emails from Bugcrowd that informs you about the submission changes until you claim your submission. When a submission is updated, transitioned (status change), or commented, you will receive a notification email from Bugcrowd.The following image shows a notification email that you will receive when a submission is transitioned to Triaged state.The following image shows a notification email that you will receive when the submission details are updated.If you do not want to receive notifications, click unsubscribe. For more information, see unsubscribing from submissions.Claiming Your SubmissionTo receive the reward for the submitted vulnerability, perform the following to claim your submission: In the email you have received, click Claim the submission. The Log in to Bugcrowd page is displayed. If you already have a Bugcrowd account, then use that email ID, associated password, and click Log in. If you do not have a Bugcrowd account, then click create an account. For information about creating an account, see becoming a researcher. The Claim your reward page is displayed. Also, the Signed in successfully message is displayed. Click Claim. The Successfully claimed message is displayed and you are redirected to the Payments tab. Claim with a different account: if you want to use another account to claim your reward. The Log in to Bugcrowd page is displayed. If you already have an account with Bugcrowd, use the same email ID and password. Else, create an account and then log in. For information about creating an account, see becoming a researcher. Unsubscribing from SubmissionsYou can unsubscribe from submissions so that you will no longer receive any correspondence or updates.To unsubscribe from a submission: In the email that you have received for claiming your submission, click unsubscribe. The Unsubscribe from submission page is displayed. Select any of the following reasons: This submission was not submitted by me I have no interest in engaging with this submission Other: Provide any other reason Click Unsubscribe. When you unsubscribe from a submission, an activity is added on the submission and includes the unsubscribe reason. " } , { "title" : "Understanding Substates", "category" : "researcher", "tags" : "submission-management", "url" : "/researchers/reporting-managing-submissions/understanding-substates/", "date" : "", "content" : "Substates are a representation of the current status of a submission at any particular time. They change throughout the triage process, depending on the impact and report structure.When you create a submission, its status will always be “New.” Once an assigned Application Security Engineer has reviewed the submission, the substate will be updated.There are three categories of statuses: open, accepted, and rejected. Within each category are the following substates:Open Substate Is a Valid Submission? Description New N/A A submission that has not been reviewed or assigned a status. Triaged N/A A submission that may be valid, but needs to be reviewed again and validated. Accepted Substate Is a Valid Submission? Description Unresolved Valid A valid submission that needs to be fixed by the Program Owners. Resolved Valid A valid submission that has been fixed by the Program Owners. Rejected Substate Is a Valid Submission? Description Out of Scope Invalid A submission which is rejected because it is not in scope with the criteria outlined in the bounty brief. Not Reproducible Invalid A submission which is rejected because the vulnerability cannot be reproduced based on the information given. Won’t Fix Valid A submission that is rejected because it is seen as an accepted business risk, does not impact the organization, or users of the target. Not Applicable N/A A submission that does not apply to the target or application. " } , { "title" : "Viewing Activity Feed in CrowdStream", "category" : "researcher", "tags" : "submission-management", "url" : "/researchers/reporting-managing-submissions/viewing-program-activity-feed-in-crowdstream/", "date" : "", "content" : "CrowdStream is Bugcrowd’s public activity feed and displays the activities for unresolved, resolved, or coordinated disclosed submissions depending on the configured level of visibility. You can see who is active on Crowdcontrol and find opportunities for future hunting.An activity feed displays the program name, researcher name, priority, target, time taken for resolution or acceptance, and/or reward amount based on the configured visibility settings.In CrowdStream activity feed, the undisclosed submissions are displayed without the program name.You can view the CrowdStream activity feed at the following locations after logging in as a researcher: Application-wide activity feed: Click CrowdStream to view a list of activities across all programs in the application. The activity is displayed for one week from the date it was accepted. Researcher specific activity feed: Go to Dashboard and then click CrowdStream to view a list of activities for the programs that you are associated. The activity is displayed for six months from the date it was accepted. Program specific activity feed: Select a program and click CrowdStream to view a list of activities for the selected program. The activity is displayed for six months from the date it was accepted.You can view the activity feed using the following link as a visitor without logging into Bugcrowd:https://bugcrowd.com/crowdstream.The public list of activities across all programs are displayed.Setting CrowdStream Visibility OptionsYou can choose to display or hide your username and/or reward amount you have received for a submission in the CrowdStream activity feed.To set the CrowdStream visibility preferences, go to your Profile page and view the CrowdStream visibility options on the right.Move the slider (as required) for the following options: Show username: Move the slider right to display your user name for the accepted submissions in the CrowdStream activity feed. Show rewards: Move the slider right to display the reward amount for the accepted submissions in the CrowdStream activity feed.A submission with the user name and the reward amount is displayed in CrowdStream as shown.If you move the slider to the left, then your username and/or reward amount is not displayed in the CrowdStream activity feed.Program owners also have the option to set the CrowdStream visibility for each submission. For more information, see CrowdStream activity feed settings by program owner.Depending on your visibility settings and the visibility settings configured by the program owner, the information is displayed for submissions in the CrowdStream activity feed." } , { "title" : "Changelog > Comparison Operators for Dates", "category" : "researcher", "tags" : "", "url" : "/changelog/comparison-operators-for-dates/", "date" : "2017-02-15 00:00:00 +0000", "content" : "Improved Tokenized date search - The ">" and "=" and "<=", where the dates specified are now included in the search. For example, the search for <= Feb 28, 2019 will include submissions on Feb 28, 2019.![comparison-operators](/assets/images/researcher/changelog/comparison-operators.png)" } , { "title" : "Changelog > Improved Clarity and Workflow", "category" : "researcher", "tags" : "", "url" : "/changelog/improved-clarity-and-workflow/", "date" : "2017-07-06 00:00:00 +0000", "content" : "This update delivers helpful tools to help improve the platform experience for both researcher and customers." } , { "title" : "Changelog > VRT Goes Open Source", "category" : "researcher", "tags" : "", "url" : "/changelog/vrt-goes-open-source/", "date" : "2017-07-26 00:00:00 +0000", "content" : "The Bugcrowd Vulnerability Rating Taxonomy is now open sourced on GitHub and offers streamlined integration with VRT gem." } , { "title" : "Changelog > Introducing VRT 1.3", "category" : "researcher", "tags" : "", "url" : "/changelog/introducing-vrt-13/", "date" : "2017-10-04 00:00:00 +0000", "content" : "VRT 1.3 includes changes to improve the alignment of the VRT to the newest release of OWASP's Top 10 2017 and mapped the VRT to CVSS." } , { "title" : "Changelog > New Submission Search Bar and Filtering", "category" : "researcher", "tags" : "", "url" : "/changelog/new-submission-search-bar-and-filtering/", "date" : "2017-11-21 00:00:00 +0000", "content" : "This update introduces comprehensive submission filtering capabilities, with a new intuitive search bar providing unique filter sets built to optimize the amount of time spent finding submissions." } , { "title" : "Changelog > Enhanced Security & Improved Functionality Offer Seamless Usability", "category" : "researcher", "tags" : "", "url" : "/changelog/enhanced-security-improved-functionality-offer-seamless-usability/", "date" : "2017-12-21 00:00:00 +0000", "content" : "This update includes a security enhancement as we have implemented CSP protections to better protect from possible vulnerabilities. In addition, we released the ability to seamlessly sort the order of the targets on your program brief with a drag-and-drop feature. The submission search bar has been updated to include additional filtering for both our customers and researchers." } , { "title" : "Changelog > Improved Program Performance Tracking and Platform Efficiency", "category" : "researcher", "tags" : "", "url" : "/changelog/improved-program-performance-tracking-and-platform-efficiency/", "date" : "2018-01-17 00:00:00 +0000", "content" : "Introducing a new program performance metric on the Program Page, highlighting the time it takes organizations to validate incoming submissions. Crowdcontrol's submission search bar continues to improve the efficiency of finding submissions by adding the ability to search by VRT categories. Customers can track credential allocation if their program is using credentials." } , { "title" : "Changelog > New Crowdcontrol Enhancements Add Improved Platform Efficiencies", "category" : "researcher", "tags" : "", "url" : "/changelog/new-crowdcontrol-enhancements-add-improved-platform-efficiencies/", "date" : "2018-02-15 00:00:00 +0000", "content" : "Significant improvements have been made to Crowdcontrol to build upon its current intuitive experience and offer enhancements that will help improve the efficiency of everyday users. Each enhancement augments the use of existing features such as the Submission Search Bar, JIRA integration, Insights Dashboard, and Notifications." } , { "title" : "Changelog > Crowdcontrol Increases Visibility", "category" : "researcher", "tags" : "", "url" : "/changelog/crowdcontrol-increases-visibility/", "date" : "2018-04-16 00:00:00 +0000", "content" : "This update introduces a new feature, Known Issue Sharing, enabling organizations to provide added visibility into a program (read [Bugcrowd’s blog](https://www.bugcrowd.com/new-feature-known-issue-sharing-increases-program-visibility-to-heighten-the-focus-of-crowdsourced-security-testing/) to learn more).Bugcrowd now makes it easy to view changes and updates made in Crowdcontrol by visiting [bugcrowd.com/changelog](/changelog)." } , { "title" : "Changelog > Heightened Platform Security and Usability", "category" : "researcher", "tags" : "", "url" : "/changelog/heightened-platform-security-and-usability/", "date" : "2018-04-17 00:00:00 +0000", "content" : "Advancements have been made to Crowdcontrol to bolster the security of the platform as well as improve its usability. The updates now offer advancements that offer a workflow built to improve the efficiency of everyday users." } , { "title" : "Changelog > Updating to VRT 1.4", "category" : "researcher", "tags" : "", "url" : "/changelog/updating-to-vrt-14/", "date" : "2018-06-19 00:00:00 +0000", "content" : "VRT 1.4 includes general updates/refined classifications along with mappings to Common Weakness Enumeration (CWE) and remediation advice." } , { "title" : "Changelog > Enhanced Security Tracking Capability", "category" : "researcher", "tags" : "", "url" : "/changelog/enhanced-security-tracking-capability/", "date" : "2018-07-02 00:00:00 +0000", "content" : "Crowdcontrol makes it easy to identify unusual activity on your account with the Security Event Log, which tracks events such as new sessions or modifications to your credentials. This is available for both customers and researchers." } , { "title" : "Changelog > Advanced Crowdcontrol UX", "category" : "researcher", "tags" : "", "url" : "/changelog/advanced-crowdcontrol-ux/", "date" : "2018-07-03 00:00:00 +0000", "content" : "A number of improvements have been implemented to Crowdcontrol delivering a more intuitive and effective user experience." } , { "title" : "Changelog > Improved Platform Usability", "category" : "researcher", "tags" : "", "url" : "/changelog/improved-platform-usability/", "date" : "2018-07-10 00:00:00 +0000", "content" : "Advancements have been made to Crowdcontrol to improve its usability. These updates deliver increased functionality built to improve the efficiency of everyday users. For example, tokenized search capabilities have been enhanced for all users to find exactly what they’re looking efficiently and effectively. Additionally, Known Issue Sharing now displays “Won’t Fix” submissions to help researchers avoid spending time on vulnerability types they may be duped against." } , { "title" : "Changelog > Hacker Education with Bugcrowd University", "category" : "researcher", "tags" : "", "url" : "/changelog/hacker-education-with-bugcrowd-university/", "date" : "2018-08-07 00:00:00 +0000", "content" : "Bugcrowd is excited to announce Bugcrowd University to help educate and empower the Crowd with the latest skills and methodologies." } , { "title" : "Changelog > Crowdcontrol Usability More Intuitive", "category" : "researcher", "tags" : "", "url" : "/changelog/crowdcontrol-usability-more-intuitive/", "date" : "2018-08-15 00:00:00 +0000", "content" : "Improvements were made to increase the platform’s ease-of-use. Updating submissions are now easier than ever, and identifying Bugcrowd within the activity feed is now easier." } , { "title" : "Changelog > Improvements Made to Boost Submission Workflow Efficiency", "category" : "researcher", "tags" : "", "url" : "/changelog/improvements-made-to-boost-submission-workflow-efficiency/", "date" : "2018-09-18 00:00:00 +0000", "content" : "Significant improvements have been made to increase the speed and efficiency of the submission workflow within Crowdcontrol. Submission blockers have been added to inform users (customers and researcher) when a specific action is required to further assist the vulnerability triage, validation, and fix process. It is now easier to adjust submission data as users can now edit multiple fields at one time. Searching for submissions has been improved with the ability to apply multiple sort criterias to the tokenized search." } , { "title" : "Changelog > Added Platform Usability and Preference Control", "category" : "researcher", "tags" : "", "url" : "/changelog/added-platform-usability-and-preference-control/", "date" : "2018-09-19 00:00:00 +0000", "content" : "Recent updates include added usability and control for users. Researchers can now easily filter by and view “Pending Invitations” to programs that have yet to start. Additionally, researchers can also pause and unpause payments as needed." } , { "title" : "Changelog > Crowdcontrol Improves Adjusted Payment Workflow", "category" : "researcher", "tags" : "", "url" : "/changelog/crowdcontrol-improves-adjusted-payment-workflow/", "date" : "2018-09-24 00:00:00 +0000", "content" : "Although rare, customers have made a mistake when rewarding for vulnerabilities and, therefore, adjustments may be needed. Upon the cancelation of a reward, researchers will be notified and informed of the reason for the change. Customers can then award the correct amount." } , { "title" : "Changelog > Updating to VRT 1.5", "category" : "researcher", "tags" : "", "url" : "/changelog/updating-to-vrt-15/", "date" : "2018-10-26 00:00:00 +0000", "content" : "The latest VRT release (version 1.5) includes the following updates:* Improving transparency by adding multiple entries for commonly reported issues* Aligning the baseline severity rating to best reflect the market by increasing taxonomy granularity" } , { "title" : "Changelog > Point Reward System Better Aligns Expectations and Acknowledges Researchers for Their Hard Work", "category" : "researcher", "tags" : "", "url" : "/changelog/point-reward-system-better-aligns-expectations-and-acknowledges-researchers-for-their-hard-work/", "date" : "2018-10-30 00:00:00 +0000", "content" : "Improvements to the point reward system have been made to better align expectations between customers and researchers. Qualifying“Won’t Fix” submissions will be rewarded points to recognize the researchers for their hard work, while setting the expectation that the vulnerability is an accepted risk that will not be fixed.Researchers can now download a CSV with remitted payments. Researchers are once again receiving email notifications for VRT or priority updates to their submissions." } , { "title" : "Changelog > Updating to VRT 1.6", "category" : "researcher", "tags" : "", "url" : "/changelog/updating-to-vrt-16/", "date" : "2018-11-02 00:00:00 +0000", "content" : "Updated VRT 1.6 includes two major changes: revision to internal SSRF, and how we rate email spoofing, more specifically the baselines around SPF and DMARC." } , { "title" : "Changelog > File Support Update", "category" : "researcher", "tags" : "", "url" : "/changelog/file-support-update/", "date" : "2018-12-17 00:00:00 +0000", "content" : "No longer need to upload large files to external sources, platform now supports 100MB for all file uploads. Allowing customers and researchers to upload larger files than ever before." } , { "title" : "Changelog > Payments Update", "category" : "researcher", "tags" : "", "url" : "/changelog/payments-update/", "date" : "2018-12-17 00:00:00 +0000", "content" : "Researchers’ Payment settings have been moved from Account settings tab into a Payment Methods tab. As well as, updated the payment csv export by date order. Allowing researchers a more simplified view of their payment timeline and submissions.![payments-update](/assets/images/researcher/changelog/payments-update.png)" } , { "title" : "Changelog > Updating to VRT 1.7", "category" : "researcher", "tags" : "", "url" : "/changelog/updating-to-vrt-17/", "date" : "2019-03-14 00:00:00 +0000", "content" : "We recently released VRT v1.7, with a platform integration planned for the week of March 25th. The release includes but is not limited to the listed updates. For more information, see [VRT 1.7 with New Automotive Security Misconfiguration](https://www.bugcrowd.com/blog/bugcrowd-releases-vulnerability-rating-taxonomy-1-7-with-new-automotive-security-misconfiguration/)." } , { "title" : "Changelog > Program Search Launched", "category" : "researcher", "tags" : "", "url" : "/changelog/program-search-launched/", "date" : "2019-04-01 00:00:00 +0000", "content" : "Hackers are always looking for their next target to dig into. Now with our new program search, this is more flexible and easier than ever before. With new advanced text search and filtering, researchers can search by skill, reward incentives, as well as programs previously submitted to, some of the many levers Bugcrowd’s expert team uses to invigorate program participation over time. This creates better visibility across all programs and helps customers connect with the right researchers for their program.![program-search](/assets/images/researcher/changelog/program-search.png)" } , { "title" : "Changelog > Payoneer Update", "category" : "researcher", "tags" : "", "url" : "/changelog/payoneer-update/", "date" : "2019-04-02 00:00:00 +0000", "content" : "Hackers can now delete their connected Payoneer account within Payment Methods.![payoneer-update](/assets/images/researcher/changelog/payoneer-update.png)" } , { "title" : "Changelog > Image Embeds", "category" : "researcher", "tags" : "", "url" : "/changelog/image-embeds/", "date" : "2019-04-11 00:00:00 +0000", "content" : "When writing vulnerability reports and submissions, it is vital to be as clear and detailed as possible to help streamline triage, validation, and acceptance. The markdown fields allowed for rich text functionality, making it easy to update and review reports.Now both the Crowd and Bugcrowd customers can embed images in-line on submissions and comments. This will enable the relevant image attachments to be shown closer to the content describing it, ultimately providing more context for the report, resulting in quicker triage, acceptance and remediation times.![image-embeds](/assets/images/researcher/changelog/image-embeds.gif)" } , { "title" : "Changelog > Public Program Credential Support and Improved Target Management", "category" : "researcher", "tags" : "", "url" : "/changelog/public-program-credential-support-and-improved-target-management/", "date" : "2019-05-07 00:00:00 +0000", "content" : "Program onboarding is a key component to program success. We recently released a Crowdcontrol feature that streamlines credential management for easier researcher onboarding and workflow.Customers running public programs now have the flexibility in-platform to handle credential assignments faster without damaging the researcher experience. This update allows for seamless credential distribution.![credentials](/assets/images/researcher/changelog/credentials.png)" } , { "title" : "Changelog > Researcher Collaboration", "category" : "researcher", "tags" : "", "url" : "/changelog/researcher-collaboration/", "date" : "2019-06-17 00:00:00 +0000", "content" : "To ensure success in finding priority vulnerabilities, security researchers often leverage the learnings of others through write-ups, blogs, podcasts and more. At the same time, researchers are beginning to work more collaboratively thanks to live communication tools and bug bounty incentives. However, researchers were limited in claiming credit for the finding and applicable rewards between multiple accounts. With Bugcrowd’s new researcher collaboration feature, researchers can now easily add collaborators to a submission, allowing each collaborator to participate and split the relevant rewards.![collaboration](/assets/images/researcher/changelog/collaboration.png)This feature is now available across public programs and bug bashes. If you’re interested in enabling collaboration with your private program, please let your account manager know." } , { "title" : "Changelog > Safe Harbor", "category" : "researcher", "tags" : "", "url" : "/changelog/safe-harbor/", "date" : "2019-07-24 00:00:00 +0000", "content" : "Security research requires explicit permission to begin testing, but even with that, the lack of clear legal scope can put hackers, companies and consumers at risk. Now with our safe harbor tracking in platform, one can set their level of safe harbor so that researchers can filter appropriately within the programs list. Go to your bounty brief settings to view your status, and reach out to your account manager to see how to adjust your program to be safe harbor compliant.![safeharbor](/assets/images/researcher/changelog/safeharbor.png)" } , { "title" : "Changelog > Certificates", "category" : "researcher", "tags" : "", "url" : "/changelog/certificates/", "date" : "2019-08-02 00:00:00 +0000", "content" : "At Bugcrowd, we're in the business of sourcing the best researchers for a program’s needs, taking into consideration the researcher's skills and trusted qualifications to ensure they can deliver. To enable researchers with a limited history to qualify in programs we are adding the ability to upload your certificates to help prove your skills. Once you upload your certificate(s) they will be automatically validated, then surfaced as part of crowd selection.![certificates](/assets/images/researcher/changelog/certificates.png){% include alert.html style="primary" text="**Set up your Certificates**: You can provide your certificate details within Crowdcontrol on the [Resume](https://bugcrowd.com/settings/resume) page. " %}" } , { "title" : "Changelog > Submission Retesting", "category" : "researcher", "tags" : "", "url" : "/changelog/submission-retesting/", "date" : "2019-10-11 00:00:00 +0000", "content" : "Once a vulnerability is patched, program owners will often have the issue retested to help verify that the fix was successful. Researchers are uniquely positioned to complete this black-box retest to certify a complete fix. With a breakers-mindset, researchers are incentivized to complete the original reproduction steps and also work around the patch for further rewards (as defined by the program's brief). Once a vulnerability is certified patched through a retest, customers can breathe a bit easier knowing the vulnerability is resolved.Starting last month, select customers can request retests for submissions, which are then allocated to researchers to complete. We look forward enabling our customers and researchers to further work together and enable a secure software development lifecycle.![retesting](/assets/images/researcher/changelog/retesting.png)" } , { "title" : "Changelog > Program Feedback when Ignoring or Hiding", "category" : "researcher", "tags" : "", "url" : "/changelog/program-feedback-when-ignoring-or-hiding/", "date" : "2019-11-05 00:00:00 +0000", "content" : "With program invitations, researchers were previously required to accept the invitation before they could understand the terms of the program. Going forward, we have decoupled the ability to become eligible for a program from the ability to join it, allowing researchers to view a program brief once eligibility is met. With access to the full brief, one can better understand the engagement and make a more informed decision to join the program or ignore it for the time being. When ignoring a program, one can input feedback to give the Program Owner and Bugcrowd valuable insight on how to better manage the program and improve our processes around program invitations going forward. But don't worry about losing out on the opportunity, you can always go back and accept the invitation later — check the **Hidden** tab in the **Programs** list to adjust.![ignore-invite](/assets/images/researcher/changelog/ignore-invite.png)This functionality is not limited to private programs. Researchers can always provide feedback when hiding a public program as well.![hide](/assets/images/researcher/changelog/hide.png)" } , { "title" : "Changelog > CrowdStream and Coordinated Disclosure", "category" : "researcher", "tags" : "", "url" : "/changelog/crowdstream-and-coordinated-disclosure/", "date" : "2019-12-19 00:00:00 +0000", "content" : "CrowdStream is Bugcrowd's public activity feed and displays the activities for unresolved, resolved, or coordinated disclosed submissions depending on the configured level of visibility for a program. An activity feed displays the program name, researcher name, priority, target, date of resolution or acceptance, and/or reward amount based on the configured visibility settings.The CrowdStream activity feed is displayed at the following locations for a researcher:* Application-wide activity feed* Researcher specific activity feed* Program specific activity feedYou can choose to display or hide your username and/or reward amount you have received for a submission in the CrowdStream activity feed.Coordinated Disclosure allows program owners and researchers to work together and publicly disclose details about a submission. When a Program Owner enables researchers to disclose submissions, Researchers with a valid submission can create a request for disclosure and the Program Owners are notified. The Program Owner and the Researcher start collaborating on the disclosure details and after both the parties have agreed on the reported details, the disclosure is finalized and displayed in CrowdStream.When requesting disclosure, Researchers must provide a summary and choose whether they want limited or full information to be disclosed. Program Owners can accept or deny any request. They can also also change the visibility level and add more details for the summary.You can manage visibility of the submission details at a global and per submission level for all programs regardless of the program’s current settings.The following image shows disclosed and accepted submissions.![disclosed-submission](/assets/images/researcher/changelog/disclosed-submission.png)" } , { "title" : "Changelog > Achievement Badges", "category" : "researcher", "tags" : "", "url" : "/changelog/researcher-achievement-badges/", "date" : "2019-12-19 00:00:00 +0000", "content" : "Competing among the crowd is commonplace; whether it's who has gotten the most findings or who has provided the highest impact, researchers want to share their achievements and see how they stack up. In the past, there have been one-dimensional leaderboards based on points of findings but as researchers are completing more types of engagements we are looking to enable you to track your growth and see how you're doing compared to others in more ways.With our recent launch of Achievement Badges, you can now track your progress across each set of badges! And that's not all, to add to our P1 Warrior badge we added new sets of badges you can compete on:* **Bounty Bee** for valid submissions across programs* **Collaboration Crusader** for working with unique groups of collaborators* **Submission Shogun** for valid submissions across BugcrowdAs you meet the criteria for each tier, you receive a badge on your public profile to show off your status on the platform. We're looking forward to helping you climb the Badge Leaderboards!![achievements](/assets/images/researcher/changelog/achievements.png)" } , { "title" : "Changelog > Joinable Program", "category" : "researcher", "tags" : "", "url" : "/changelog/joinable-programs/", "date" : "2020-03-03 00:00:00 +0000", "content" : "With the launch of Joinable Programs, we're excited to enable immediate access to a set of private programs as long as one meets the eligibility requirements. The requirements of each program are available and can be shared easily. When viewing the program one can see the requirements and what is being tested. Head over to checkout joinable programs [here](https://bugcrowd.com/programs?joinable[]=true).![joinable](/assets/images/researcher/changelog/joinable.png)" } , { "title" : "Changelog > Waitlisted Programs", "category" : "researcher", "tags" : "", "url" : "/changelog/waitlisted-programs/", "date" : "2020-04-03 00:00:00 +0000", "content" : "Researchers can now find and apply to Waitlisted programs that have niche requirements. For these programs, Bugcrowd allows you to explain why you are the right Researcher for the program.To find programs that are Waitlisted, use the drop-down filter menu on the **Programs** page and select **Waitlisted**. The program tiles and briefs display high-level information about the scope, rewards, and the eligibility requirements. If you are interested and if you meet the eligibility criteria, then you can apply to the program. When applying to a program, you must provide detail evidence to prove you are the right researcher for the program.![waitlisted-program](/assets/images/researcher/changelog/waitlisted-program.png)" } , { "title" : "Changelog > Payments Through Bank Transfer", "category" : "researcher", "tags" : "", "url" : "/changelog/payments-through-bank-transfer/", "date" : "2020-06-18 00:00:00 +0000", "content" : "Bugcrowd is now offering a new payment method called Bank Transfer as an option to all researchers on the Crowdcontrol platform. The amount is credited to your bank account faster when compared to the existing payment methods. You can still continue to use the existing payment methods. However, you will see more fees compared to the direct bank transfer due to higher currency conversion fees. You can also file your tax forms such as W-8BEN, W-8BENE, or W9 in the platform itself and receive end-of-year tax statements.To setup Bank Transfer payment method, go to [Payment details](https://bugcrowd.com/settings/payment_vendor_account) tab, click **Add Payout Method**, select **Individual** or **Business**, fill in your personal details, and then select **Bank** **Transfer** payment method.![bank-transfer-payout](/assets/images/researcher/changelog/bank-transfer-payout.png)" } , { "title" : "Changelog > 2FA Backup Codes in Platform", "category" : "researcher", "tags" : "", "url" : "/changelog/2fa-backup-codes-in-platform/", "date" : "2020-09-12 00:00:00 +0000", "content" : "Researchers can now generate backup codes for Two-Factor Authentication (2FA) on their Bugcrowd Accounts.2FA is a security measure that adds an additional step for your login process to protect your account. It requires you to enter your login credentials along with a secondary authentication code such as a pin that an authenticator sends to your phone.Go to your **Account Settings** and click on the **Security** tab in your Researcher profile to enable/disable 2FA and generate 2FA backup codes![2fa-backup-codes](/assets/images/researcher/changelog/2fa-backup-codes.png)" } , { "title" : "Changelog > Discover Programs", "category" : "researcher", "tags" : "", "url" : "/changelog/discover-programs/", "date" : "2020-09-15 00:00:00 +0000", "content" : "You can now view the programs that you may be interested in on the Discovery page. It displays program cards grouped under various categories. For example, Waitlisted programs, Joinable Programs, programs with iOS Targets, and other categories. If you are interested, you can click a program or view all programs in a particular category.To discover programs, click the **Discovery** tab.![discovery-page](/assets/images/researcher/changelog/discovery-page.png)" } , { "title" : "Changelog > Just for You - Program Recommendations", "category" : "researcher", "tags" : "", "url" : "/changelog/just-for-you-programs/", "date" : "2020-09-16 00:00:00 +0000", "content" : "The **Just for You** page displays program recommendations customized to your skills, platform successes, linked profiles, and linked certificates.There are three recommendation categories:* **Experts needed**: Programs that require non-standard skills that match to you* **Try something new**: Program with skills that are new to your profile* **GitHub Activity**: Programs recommended based on your skills identified from your Github activity.{% include alert.html style="primary" text="You must connect your GitHub account to get recommendations." %}To view the programs in Just For You, go to the **Discovery tab** and then click **Just For You**.![just-for-you-page](/assets/images/researcher/changelog/just-for-you-page.png)" } ]