In bug bounty programs, having an open scope is quite possibly the single most effective thing your organization can do to help secure your external attack surface. It leverages the power of the whole crowd to find and identify any exposures your organization may have online, and most of the time, there’s a lot more out there than you realize.
What is a scope?
A scope is the defined set of targets that have been listed by an organization as assets that are to be tested as part of a particular engagement. Things that are listed as “in-scope” are eligible for testing, and things that are “out of scope” are to not to be tested.
If you think of scope as a spectrum, there are three main categories that programs fall under. Where you fall could determine the effectiveness of your program reaching researchers and the overall success of your program.
Three main types of scopes:
- Limited Scope: a limited scope on a bug bounty program only includes a single or specific target(s).
- Wide Scope: a wide scope bounty program is one that includes a wildcard to the in-scope targets.
- Open Scope: an open scope bounty program is one that has no limitations on what researchers can or cannot test, so long as the target/asset belongs to your organization.
Depending on where you’re at, you may want to reevaluate your scope to further secure your assets and reap the benefits of our researcher efforts. If you’re feeling unsure, don’t worry. Most organizations and bounty programs take a systematic progression over time. It’s common to start with a basic or limited scope, then move to a more expansive, limited scope, to a wildcard, and finally to an open scope.
Why is expanding your program’s scope important?
Bad actors aren’t asking for permission to test everywhere. Bad actors in the wild don’t have to play by any rules; they go wherever they want and aren’t going to only come in through your front door. Limiting where the good actors can test only further disadvantages ourselves in the battle for securing assets, data, and ourselves. To combat this, an open scope program is not only useful, but necessary. There are very few things that can be more effective in helping secure the totality of your organization’s external footprint than running a completely open scope for all internet-facing assets.
Ready to start moving your program toward an open scope?
The best place to start is by talking to your Bugcrowd Success Team – your TCSM will help provide guidance, recommendations, and support for whatever you need to get going. Bugcrowd is here to help you secure your organization, and we know that open scope is a critical part of your security journey. To learn more about Open Scope, check out this guide.