Beta Feature: This new workflow launches on April 8, 2026, for select beta participants. If you want to join, contact your Customer Success Manager.
What’s New
We are introducing a new way to manage program scope and bounty rewards using asset tags.
This new setup makes it easier to:
Organize your assets in your asset inventory into logical groups such as regions, business units, products, asset priority, or environments.
Create multiple reward tables mapped to those asset tags. This could be grouped by different reward amounts, scope requirements, or priority.
Present a clearer combined Scope & Rewards view to Hackers.
More easily scale reward structures as programs grow.
How it Works
The new system uses asset tag categories to organize assets in your asset inventory. Any tag category can be designated as a reward category, which means tags in that category can be associated with bounty reward tables.
Example:
Create a tag category called Business Units
Mark it as a reward category
Create tags such as:
Core Platform
Mobile Apps
Partner Integrations
Each business unit can have its own bounty table
Assets tagged with Core Platform automatically appear in the Core Platform reward group, which can then have a researcher-facing name applied to it
Visual flow of the above example:
Asset Inventory → Add assets and mark them as in scope or out of scope
↓
Tag Categories → Business Units, reward-enabled
↓
Tags → Core Platform, Mobile Apps, Partner Integrations
↓
Tag Assets → app.example.com tagged with Core Platform
↓
Scope & Rewards Groups → Create a reward table for Core Platform, with a Hacker-facing name and provide a scope description for the reward table (optional)
↓
Hacker View → Combined scope and rewards organized by Business Units, with researcher-facing names applied
Opting Into the Beta
During the beta period, you can revert to the old flow. This gives you room to:
Test the new interface without commitment
Migrate gradually
Provide feedback
Note: Once the old flow is discontinued after GA, all programs will need to use the new setup. We will provide advance notice before that happens.
How to enable the new workflow:
Go to Program settings → Rewards → Bounty
Look for the banner: Try the new, streamlined rewards setup
Click Enable new setup
The page reloads into the new interface
Important: The new setup does not change the hacker-facing view until you click Save.
Setting Up the New Flow
Step 1: Prepare Asset Tag Categories
Before creating reward groups, you must select at least one asset tag category as a reward category.
Organizations have default asset tag categories like Technology, Business Unit, and Language. These can be used for rewards, or you can create and assign custom asset tag categories. Within each asset tag category, you can create specific asset tags and assign them to assets. Remember, assets need to be tagged to be included in reward groups.
See our instructions for setting up and managing asset tag categories, asset tags, and assigning assets here.
Enabling rewards also enables the setting that allows only one tag per asset in that category. This is required so each asset belongs to only one reward group.
Step 2: Configure Program-Level Settings
You can configure:
Whether bounty amounts appear in the report timeline.
Custom severity labels. Default values are low, medium, high, and critical.
Step 3: Create Scope & Reward Groups
Select the reward tag category
Go to Rewards → Scope & Rewards Groups
In the Asset tag category selection, choose the reward category (Only reward-enabled categories appear in the dropdown)
For each reward group, complete:
Reward Group Name, this will be visible to Hackers
Select one or more asset tags
Reward value setting, Fixed or Range
Program scope group description, optional description to provide scope information about the group
Add more reward groups, optional
Click Add new reward group
Repeat the above steps for each group
Order groups as you wish them to appear on the hacker-facing scope and rewards page
If needed, to remove a reward group
Scroll to the bottom of the group
Click Remove this reward group
Resolve warnings if shown. Possible warnings include:
Warning | Meaning | Fix |
Assets missing required tag | In-scope assets do not have a tag from the selected reward category | In the Asset Inventory tag, the assets or remove them as in-scope |
Tags not mapped to a reward group | Tags have in-scope assets but are not assigned to a reward group | Create reward groups for those tags or add them to existing tables |
Step 5: Supply Chain Bounty Table
The Supply Chain Bounty Program (SCBP) is a crowdfunded bug bounty program that rewards security researchers and maintainers for uncovering and remediating vulnerabilities in the open-source software that supports the internet. Learn more here to determine, and if relevant, how to set up the Supply Chain Bounty Table.
Step 6: Save Changes
Review all reward groups
Click Save
Once saved: The page goes live, replacing the old scope and bounty structure. Hackers can see the new Scope & Rewards page
AI-Powered Migration Assist
If you already have a bounty table set up, you can use the Hai migration assistant (requires Hai to be enabled).
Good fit | Better to set up manually |
Existing bounty tables already exist | New program with few assets |
Assets are already organized logically | Major reorganization is needed |
You want to preserve the current structure | The current setup relies on workarounds |
How Migration Assist Works
Go to Program Settings → Rewards → Bounty
Look for the banner: Try the new, streamlined rewards setup
Click Enable new setup
Look for the banner: Scope and Rewards Groups (beta). Click on Migrate with Hai at the top of the page
Review Hai’s proposed migration, which includes suggested groupings of similar assets, recommended tag names for those groupings, and bounty tables for each category.
Hai will check in with you after each step to see if you would like to make any changes to the suggestions. Once you have confirmed all adjustments, Hai will automatically update your assets with the necessary tags and create the agreed-upon bounty tables during the setup process.
Review the results on the Rewards → Bounty → Scope & Rewards Group
Click Save to update your program scope and rewards page.
What Hackers See
Hackers will see a new combined Scope & Rewards page with:
A program-level scope description, if configured
Reward group sections
Bounty tables inside each group
Asset tables inside each group
An Excluded Assets section at the bottom
They can also use filters such as:
Search by asset name
Filter by scope group
Filter by severity
Filter by bounty eligibility
View changes - shows changes to the program scope or reward tables.
Key Differences From the Old Flow
Aspect | Old Flow | New Flow |
Selecting scope | Select individual assets for the scope table | Select asset tags to create asset groups |
Multiple bounty tables | Workarounds required | Supported natively |
Scope management | Separate from rewards | Combined in one interface |
Hacker view | Separated into different scope and rewards pages | Combined Scope & Rewards page |
Adding new assets | Manual assignment | Automatic by applying a tag in the asset inventory |
Scope descriptions | One program-level description | Per-group descriptions supported |
Program Guidelines page | Shows reward summary | Reward summary removed |
Reward value setting | Select one of Fixed or Range across all tables | Select Fixed or Range per reward group |
Best Practices
Strong approaches
Environment-based - Production, Staging, Development
Business Unit-based - Core Platform, Mobile, APIs
Asset Criticality-based - Tier 1, Tier 2, Tier 3
Regional-based - APAC, EMEA, Americas
Scope-based - Assets requiring Gateway use, Assets not requiring Gateway use
Avoid
Creating too many reward groups at the start
Using internal-only naming on hacker-facing reward group names that hackers will not understand
Troubleshooting
Common issues
Issue | Cause | Fix |
In-scope assets cannot be assigned | Assets are untagged or unmapped | Tag assets or create reward groups |
Tags not mapped to reward groups | In-scope tagged assets are not tied to a reward group | Add tags to a reward group |
The tag category dropdown is empty | No reward-enabled categories exist | Create or edit a reward category |
Cannot delete tag category | The category is in use by a program | Change the selected category first |
Assets show in the wrong reward group | Tag selection is incorrect | Update asset tags or group mappings |
The hacker-facing page does not update | Changes were not saved | Click Save changes |
Reverting to the Old Flow
While you can revert to the old flow, if you opt to revert:
Old bounty table setup becomes active again
Hackers see the old scope and rewards pages
New flow configuration remains saved
You can switch back later without starting over
Learn more about the old flow here. Once the old flow is discontinued, you will need to use the new setup.
FAQs
Can you use multiple tag categories for rewards within a single program?
No. Each program selects one reward tag category.
What happens to the existing bounty table when the new setup is enabled?
Nothing changes until you click Save changes.
Can the old flow and new flow be used at the same time?
No. Only one flow is active at a time.
Does this affect reports or analytics?
No. This only changes the scope and reward configuration and presentation.
Can system tag categories be used for rewards?
Yes. Any category can be marked as a reward category.
How many reward groups can be created?
There is no hard limit, but 4-6 is the recommended range.
Can different reward groups use Fixed and Range settings?
Yes. Each reward group can use its own setting.
Can one tag appear in multiple reward groups?
No, but multiple asset tags can be connected to one reward group.