What’s New
We are introducing a new way to manage program scope and bounty rewards using asset tags.
This new setup makes it easier to:
Organize your assets in your asset inventory into logical groups such as regions, business units, products, asset priority, or environments.
Create multiple reward tables mapped to those asset tags. This could be grouped by different reward amounts, scope requirements, or priority.
Present a clearer combined Scope and rewards view to Hackers.
More easily scale reward structures as programs grow.
How it Works
The new system uses asset tag categories to organize assets in your asset inventory. Any tag category can be designated as a reward category, which means tags in that category can be associated with bounty reward tables.
Example:
Create a tag category called Asset Priority
Mark it as a reward category
Create tags such as:
Core Platform
Mobile Apps
Partner Integrations
Each Asset Priority can have its own bounty table
Assets tagged with Core Platform automatically appear in the Core Platform reward group, which can then have a researcher-facing name applied to it
Visual flow of the above example:
Asset Inventory → Add assets and mark them as in scope or out of scope
↓
Tag Categories → Asset Priority, reward-enabled
↓
Tags → Core Platform, Mobile Apps, Partner Integrations
↓
Tag Assets → app.example.com tagged with Core Platform
↓
Scope and rewards groups → Create a reward table for Core Platform, with a Hacker-facing name and provide a scope description for the reward table (optional)
↓
Hacker View → Combined scope and rewards organized by Asset Priority, with researcher-facing names applied
Opting In
Currently, you can revert to the old flow. This gives you room to:
Test the new interface without commitment
Migrate gradually
Provide feedback
Note: Once the old flow is discontinued, all programs will need to use the new setup. We will provide advance notice before that happens.
How to enable the new workflow:
Go to Program settings → Rewards → Scope and reward groups
Look for the banner: Try the new, streamlined rewards setup
Click Enable new setup
The page reloads into the new interface
Important: The new setup does not change the hacker-facing view until you click Publish.
Setting Up the New Flow
Step 1: Prepare Asset Tag Categories
Before creating reward groups, you must select at least one asset tag category as a reward category.
Organizations have default asset tag categories like Technology, Business Unit, and Language. These cannot be used for rewards. You can create and assign custom asset tag categories. Within each asset tag category, you can create specific asset tags and assign them to assets. Remember, assets need to be tagged and marked as in scope to be included in reward groups.
See our instructions for setting up and managing asset tag categories, asset tags, and assigning assets here.
Enabling rewards also enables the setting that allows only one tag per asset in that category. This is required so each asset belongs to only one reward group.
Step 2: Configure Program-Level Settings
You can configure:
Whether bounty amounts appear in the report timeline.
Custom severity labels. Default values are low, medium, high, and critical.
Step 3: Create Scope and Reward Groups
Select the reward tag category
Go to Rewards → Scope and rewards groups
In the Asset tag category selection, choose the reward category (Only reward-enabled categories appear in the dropdown)
For each reward group, complete:
Reward group name, this is the value that will be visible to Hackers, not the asset tag name
Select one or more Reward asset tags
Reward values setting, Fixed or Range
Program scope group description, optional description to provide scope information about the group
Add more reward groups, optional
Click Add new reward group
Repeat the above steps for each group
Reward groups are displayed in the hacker-facing Scope and rewards page in the order they appear on this setup page
If needed, to remove a reward group
Scroll to the bottom of the group
Click Remove this reward group
Resolve warnings if shown. Possible warnings include:
Warning | Meaning | Fix |
Assets missing required tag | In-scope assets do not have a tag from the selected reward category | In the Asset Inventory tag, the assets or remove them as in-scope |
Tags not mapped to a reward group | Tags have in-scope assets but are not assigned to a reward group | Create reward groups for those tags or add them to existing tables |
Step 5: Publish Changes
Review all reward groups
Click Publish
Once published: The page goes live, replacing the old scope and bounty structure. Hackers can see the new Scope and rewards page
AI-Powered Migration Assist
You can use the Hai migration assistant (requires Hai to be enabled) to help migrate from the old flow to the new, supporting the grouping of assets, setting up and applying asset tags, and setting up the reward groups.
How Migration Assist Works
Go to Program settings → Rewards → Scope and rewards groups
Look for the banner: Try the new, streamlined rewards setup
Click Enable new setup
Look for the banner: Scope and Rewards Groups. Click on Set up with Hai at the top of the page
Review Hai’s proposed migration, which includes suggested groupings of similar assets, recommended tag names for those groupings, and bounty tables for each category.
Hai will check in with you after each step to see if you would like to make any changes to the suggestions. Once you have confirmed all adjustments, Hai will automatically update your assets with the necessary tags and create the agreed-upon bounty tables during the setup process.
Review the results on the Rewards → Bounty → Scope and rewards Group
Click Publish to update your program scope and rewards page.
What Hackers See
Hackers will see a new combined Scope and rewards page with:
A program-level scope description, if configured
Reward group sections
Bounty tables inside each group
Asset tables inside each group
An Excluded assets section at the bottom
They can also use filters such as:
Search by asset name
Filter by scope group
Filter by severity
Filter by bounty eligibility
View changes - shows changes to the groups, program scope, or reward tables.
Key Differences From the Old Flow
Aspect | Old Flow | New Flow |
Selecting scope | Select individual assets for the scope table | Select asset tags to create asset groups |
Multiple bounty tables | Workarounds required | Supported natively |
Scope management | Separate from rewards | Combined in one interface |
Hacker view | Separated into different scope and rewards pages | Combined Scope and rewards page |
Adding new assets | Manual assignment | Automatic by applying a tag in the asset inventory |
Scope descriptions | One program-level description | Per-group descriptions supported |
Program Guidelines page | Shows reward summary | Reward summary removed |
Reward value setting | Select one of Fixed or Range across all tables | Select Fixed or Range per reward group |
Best Practices
Strong approaches
Environment-based - Production, Staging, Development
Business Unit-based - Core Platform, Mobile, APIs
Asset Criticality-based - Tier 1, Tier 2, Tier 3
Regional-based - APAC, EMEA, Americas
Scope-based - Assets requiring Gateway use, Assets not requiring Gateway use
Avoid
Creating too many reward groups at the start
Using internal-only naming on hacker-facing reward group names that hackers will not understand
Troubleshooting
Common issues
Issue | Cause | Fix |
In-scope assets cannot be assigned | Assets are untagged or unmapped | Tag assets or create reward groups |
Tags not mapped to reward groups | In-scope tagged assets are not tied to a reward group | Add tags to a reward group |
The tag category dropdown is empty | No reward-enabled categories exist | Create or edit a reward category |
Cannot delete tag category | The category is in use by a program | Change the selected category first |
Assets show in the wrong reward group | Tag selection is incorrect | Update asset tags or group mappings |
The hacker-facing page does not update | Changes were not saved | Click Publish changes |
Reverting to the Old Flow
While you can revert to the old flow, if you opt to revert:
Old bounty table setup becomes active again
Hackers see the old scope and rewards pages
New flow configuration remains saved
You can switch back later without starting over
Learn more about the old flow here. Once the old flow is discontinued, you will need to use the new setup.
FAQs
Can you use multiple tag categories for rewards within a single program?
No. Each program selects one reward tag category.
What happens to the existing bounty table when the new setup is enabled?
Nothing changes until you click Publish changes.
Can the old flow and new flow be used at the same time?
No. Only one flow is active at a time.
Does this affect reports or analytics?
No. This only changes the scope and reward configuration and presentation.
How many reward groups can be created?
There is no hard limit, but 4-6 is the recommended range.
Can different reward groups use Fixed and Range settings?
Yes. Each reward group can use its own setting.
Can one tag appear in multiple reward groups?
No, but multiple asset tags can be connected to one reward group.