This website use cookies which are necessary to its functioning and required to achieve the purposes illustrated in the privacy policy. To learn more or withdraw consent please click on Learn More. By continued use of this website you are consenting to our use of cookies.
Accept
Learn More

Posts by Topic

Bug Bounty Management Bugcrowd News Bugcrowd Spotlight Bug Hunter Methodology Community Spotlight Company Resources Conferences & Events Customer Case Study Cybersecurity News Guest Blogs Product Spotlight Product Updates Program Launches Program Management Program Updates Report Recap Researcher Event Researcher Resources Researcher Spotlight Success Stories Thought Leadership Vulnerabilities Vulnerability Disclosure Webinar Recap Winner's Circle

Posts By Author

Abigail Nguy Amp Somers Andy Burtis Ashish Gupta Athena Peterson Barnett Klane Breonna Burrell Bugcrowd Bugcrowd Design Bugcrowd Product Marketing Bugcrowd Researcher Success Casey Ellis David Baker Erica Azad Grant McCracken Guest Post Jason Haddix Kaila Pollart Kaushik Srinivas Lauren Craigie Luke Stephens Mari Kemp Michael Hamel Michael Skelton Omar Carmical Randy Young Rick Beattie Ryan Black Shpend Kurtishaj

Posts by Grant McCracken

Providing Access to your Program: Sharing Isn’t Caring

Over the past year, we’ve spent some time diving into many of the different aspects relating to setting up a successful bug bounty program. Previously we’ve covered setting your scope, and the importance of focus areas, as well as some considerations to make around setting exclusions and provisioning your testing environment. Additionally, we’ve also taken a brief look at reward guidelines and disclosure policies, and how they can be used to both enhance your program and increase visibility.

Read More

Essential to a Successful Bounty Brief: Exclusions

In continuing our series on building a bounty brief, we’ve already covered step 0, creating a scope, and also touched briefly on focus areas. Now that you have the foundation of what you want researchers to be testing, it’s now time to turn your attention to what you don’t want them to be testing – which is just as, if not more important, as clearly stating what you do want to be tested. We do this by explicitly noting and drawing the researcher’s attention to our exclusions.

Why is it so important? Simply put, it’s a matter of respecting researchers’ time and effort. If we take a moment to look at this from a researcher’s point of view, every issue that we clearly exclude on the bounty brief is something they won’t/don’t need waste their time testing for and/or reporting. A brief that doesn’t contain explicit exclusions runs the risk of receiving issues that the program owner may not care for – resulting in wasting the time and resources of both the researcher and the program owner. To clearly document these exclusions, we’ve identified five of the most common categories to consider for exclusions when building your program: low impact issues, intended functionality, known issues, accepted risks, and issues resulting from pivoting. 

Read More

How to Write a Clear and Thoughtful Scope, A Deep Dive

We recently published a comprehensive but abbreviated guide ‘Anatomy of a Bounty Brief’ which explores each part of a bounty program brief and how organizations can write them more clearly and thoughtfully.

Once you’ve identified that you and your organization are ready to commit the necessary time and resources to running a bug bounty program, it’s time to start building out your program brief – the first step of which, is setting the program scope.

Read More
Back To Top