Request a Demo Contact Us
Join us at Inside the Mind of a Hacker 2023 Webinar on October 12 at 11:00 AM ET
Join Us
Essentials

Code of Conduct

Back to resources

The Bugcrowd Code of Conduct outlines the behaviors required of all Bugcrowd community members participating in crowdsourced security programs, Bugcrowd online community offerings such as the Bugcrowd Community Forum and IRC channel #bugcrowd, the Bugcrowd Researcher slack channel, Discord, Bug Bashes, as well as any other programs and events that may be offered by Bugcrowd.

This Code of Conduct applies to all interactions you have with Bugcrowd team members, customers, and researchers. The Bugcrowd community is intended for everyone, from all walks of life, and following this Code of Conduct will help ensure that we maintain a safe and welcoming place for all. Please take a moment to learn more about Who We Are and our standard requirements to understand the platform culture of all Bugcrowd participants.

Who We Are and What We Require

Our top core values are simple. We don’t believe in unnecessarily complicating things.

  • Be Kind.
  • Be Respectful and Professional in your communications and behavior.
  • Be Ethical. Don’t intentionally mislead customers or Bugcrowd. It is your job to try and break both technology and business logic flaws, but when you find a weakness it is also your job to report it to be fixed – not exploit it.
  • Help us improve. We do this through honest and insightful discussions with our peers and partners.

Vulnerability Reporting Standards

Be prompt in reporting vulnerabilities you have identified.

  • Disclosure Guidelines: Don’t share confidential vulnerability or customer information. Private program customers are private, and no submitted vulnerability (including duplicates, Out of Scope, Not Applicable, etc.) may be disclosed without explicit customer permission. Please read each Bounty Brief for specific program disclosure policies, which supersede (overrule) this policy. We expect everyone to use the proper channels to disclose or communicate about vulnerability submissions. Email Bugcrowd Support if you have any questions about disclosure.
  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating the impact of the vulnerability; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information. In the event you access PII or other sensitive data, please note that you are required to follow all laws and regulations applicable to the access and processing of such personally identifiable information and/or data, such as the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679), including the European Commission’s Standard Contractual Clauses regarding the transfer of personal data to processors and the California Consumer Privacy Act of 2018, and the California Privacy Rights Act of 2020 once it becomes effective.
  • It is not acceptable to create placeholder submissions that are used to “squat” on findings (e.g. reports that are rapidly submitted a vague title and no detailed replication steps in the initial report, etc); all valid findings must be submitted with a full description, proof of concept, and complete replication steps in the original report. In cases where the initial report is lacking a description, proof of concept, and replication steps, those reports will be closed, and must be re-submitted with the required information to be considered for the program. Please always submit complete, fully populated, and articulate reports.
  • Read and abide by Bugcrowd’s Standard Disclosure Terms and each program’s Bounty Brief. We expect you to follow all guidelines and rules that a particular crowdsourced security program or company has outlined regarding scope of testing and disclosure. For more information on disclosure policies at Bugcrowd, visit the Researcher Documentation Centre, our Researcher Resources, or FAQ.

PLATFORM BEHAVIOR STANDARDS

Bugcrowd strives to create a safe, inclusive and positive environment for the mutual benefit of Researchers and Customers alike, allowing for collaborative engagement in the pursuit of a safer Internet.

The Platform Behavior Standards are in place to help Researchers better understand unacceptable issues and behaviors on our platform, and which measures are taken when we become aware of an incident.

 

Behavior Type Severity Value Definitions & Example Behaviors
Disruptive Behavior 1
  • Testing which causes a disruption for the Program Owner
  • Spamming for updates in submissions
  • Submitting a high volume of tickets to support
Aggressive Behavior 1
  • Using unprofessional language with the Program Owners, other Researchers, and Bugcrowd employees
Out of Scope 1
  • Testing outside of the provided scopes on a bounty brief, submitting issues that are out of scope repeatedly, or not following the program bounty brief instructions. If a Researcher thinks they have a high impact vulnerability that is out of scope but should be brought to the customer’s attention, please submit the vulnerability for our Triage team to evaluate. If the Program Owner does not accept the submission, Bugcrowd will mark it Not Applicable, so the submission doesn’t impact the Researcher negatively.
Out of Band Contact 1
  • When a Researcher contacts a Customer or Bugcrowd employee outside of the bounds of Bugcrowd’s platform
Duplicate Abuse 2
  • Attempting to game the Bugcrowd systems by submitting a large number of duplicate submissions or even self-duplicates to the platform
Program Disclosure 2
  • Exposing the existence of a customer or Private Program that is running on Bugcrowd
Disclosure Threat 3
  • Threatening to disclose a vulnerability submitted through the Bugcrowd platform (such as Twitter, blogs, YouTube, etc.)
Unauthorized Disclosure 4
  • Vulnerability Sharing; Unauthorized disclosure of Confidential Information, Proprietary Information, or Personal Information. A researcher disclosing a vulnerability submitted through the Bugcrowd platform (such as Twitter, blogs, YouTube, etc.). Interacting or accessing any accounts and systems without the explicit permission from the account holder.
Abusive Behavior & Harassment 4
  • Using aggressive and/or extreme language within submissions or in interactions with Program Owners, other Researchers, and Bugcrowd employees. Harassment, including but not limited to the following, is unacceptable and prohibited:
  1. Offensive user-generated or submitted content (for example, related to gender, sexual orientation, race, religion, disability, etc. (including offensive user names))
  2. Use of nudity and/or sexual images (including presentation slides).
  3. Abusive or threatening language.
  4. Deliberate intimidation, stalking or following including seeking out uninvited personal contact with Bugcrowd employees or customers via personal phone or email, harassing materials, photography or recording.
  5. Inappropriate physical contact (at any Bugcrowd or industry events), and/or unwelcome sexual attention.
  6. Making unjustified accusations against other user(s).
  7. Personal attacks, including hurtful, insulting or hostile comments.
Extortion Threat 4
  • Threatening to extort a company, customer, or employee for unfair gain on the Bugcrowd platform
Ban Dodge 5
  • Reactivating and/or creating a new researcher account on the Bugcrowd platform after being permanently banned

These Enforcement Actions apply to all persons entering our platform or engaging in communication with customers and Bugcrowd employees.

Total Severity Value Enforcement Measure Action Definition
1 Coaching Message The researcher receives a coaching message from Bugcrowd explaining what behavior is unacceptable, provided guidance for correcting the behavior going forward, and how many points they have.
2 Warning The researcher receives a warning messaged explaining what behavior is unacceptable, and an outline of what will happen if they have another incident and how many points they have.
3 Final Warning The researcher receives a final warning messaged explaining what behavior is unacceptable, the next incident will result in Temporary Suspension or Platform Ban, and how many points they have.
4 Temporary Suspension The researcher receives a messaging outlining how long they are temporarily suspended from the platform and how many points they have.
5+ Platform Ban The researcher has 5+ points and is removed from the platform with messaging outlining why they have been banned.

 

Please be aware; Bugcrowd retains the ability to adjust the severity of an enforcement measure depending on the gravity of the infraction. Additionally, depending on the nature of the infraction, Bugcrowd may impose further enforcement penalties such as extended ban durations, immediate program removal, and permanent removal from the Bugcrowd platform.

Other violations of this Code of Conduct, the Standard Disclosure Terms, the Terms of Service, or other applicable terms and customer program briefs can result in enforcement actions as well, including a warning and/or removal of access to elements of the Bugcrowd platform on a temporary or permanent basis depending on the severity of the violation. In some instances, an offender will be removed from Bugcrowd bounties or from the Bugcrowd community entirely.

All policy enforcement and eligibility decisions are made entirely at the discretion of Bugcrowd. Decisions are final and considered private matters between Bugcrowd’s team members and the individuals(s) involved. If you have any questions about a recent action taken on your account, please contact Bugcrowd Support for details.

WHAT HAPPENS IF YOU RECEIVE AN ENFORCEMENT ACTION

Bugcrowd counts 1-mark and 2-mark incidents toward Total Marks for a rolling 12-month period. After 12 months, 1-mark and 2-mark incidents are considered expired and are only included in incident reviews if a pattern of behavior precedes this new incident. 4- and 5-mark incidents never expire and are considered active for the purpose of a new incident review. Additionally, program invitations may be revoked at the discretion of Customers and/or Bugcrowd based on the severity of the incident(s).

If a researcher is banned from the platform, they may request a Reinstatement Review after 1-full year. Bugcrowd will provide the Researcher with an update once the Reinstatement Review is completed. Depending on the severity of previous incidents, we may not accept a Researcher’s Reinstatement, and the ban may remain in place. Contact support@bugcrowd.com to request a Reinstatement Review.

HELP US, HELP YOU

If you observe a fellow Researcher violating our Code of Conduct and/or exhibiting malicious behaviors that are not conducive to building a safe and positive professional environment, please report it to the Bugcrowd Support Team at support@bugcrowd.com. We are grateful for your support in fortifying our community’s experience.

TERMS & CONDITIONS AND STANDARD DISCLOSURE POLICY

We have a Terms and Conditions document describing your (and our) behavior and rights related to content, privacy, and laws. To participate in Bugcrowd programs and offerings you must agree to abide by our Terms and Conditions and the Standard Disclosure Terms.

More resources

LevelUp

Breaking into an Embedded Linux System

Learn More
Webinar

Inside the Mind of a Hacker 2023 Webinar

Watch Now
Guide

Metrics that Matter: Your Guide to Defining your Bug Bounty Program Goals

Read More

Get Started with Bugcrowd

Every minute that goes by, your unknown vulnerabilities leave you more exposed to cyber attacks.

Try Bugcrowd Contact Us