Overview
Spot checks are bite-sized, pay-for-effort engagements focusing on a specific feature or vulnerability in an organization’s assets. These engagements are targeted in scope and come with a detailed report validating proof of coverage.
How can I access spot checks?
You can access any spot checks to which you have been invited through the My spot checks overview on the hacker dashboard. You can also find any spot checks you have worked on before.
When you are invited to a spot check, you will also receive an invitation email. Any invitations can also be accepted from the My Spot Checks overview. Please make sure to review the details before accepting.
What do I do after I have accepted a spot check?
After accepting a spot check invitation, you will have 7 days to submit a write-up. You can submit a write-up by clicking the “Submit findings” button for the accepted spot check and filling in the required steps. These include:
Executive summary (Summary of your findings)
Scope (What assets, CVEs, or Weaknesses did you focus on?)
Methodology and tooling (Specify what methodology and tooling you used during this spot check.)
Findings and Evidence (Mention specifics of your findings and link any vulnerability reports as part of your evidence.)
Related vulnerabilities (Link any vulnerability reports as part of your evidence.)
Please always take the instructions into account while working on the spot check. Also, please keep in mind that if you find any vulnerabilities as part of the spot check, you might be eligible for a reward according to the program's bounty table. You still need to submit a vulnerability report to the program and attach it to the spot check report to qualify for this. Use the dropdown to attach any vulnerability reports from the spot check write-up form.
After submitting, the program will review your work. Once they approve, you’ll be awarded for the spot check. You can edit your write-up as long as the 7-day deadline has not yet passed and the program has not yet approved your write-up.
FAQ
Q: What do I write in the report, especially if I don't find anything?
A: By no means does the lack of findings imply a bad or lacking spot-check write-up. Please focus on the steps you took to test the scope, what methods and tooling you used, and provide evidence.
Q: How would I assign severity/weakness/etc for the spot check write-up?
A: No need to assign a severity/weakness to a spot check. Please submit a vulnerability report to the program for any vulnerability during the spot check. The process for this is as usual. Please make sure to link these found vulnerabilities to the spot check write-up.
Q: Will I be able to communicate directly with the customer team?
A: Direct interaction on the spot check is not possible now. However, you can communicate with the team on any reported vulnerabilities as usual.
Q: If I find multiple vulnerabilities, should I submit multiple reports?
A: Yes, please submit a vulnerability report to the program as you would for any other vulnerability you find. Please link any found vulnerabilities in the spot check write-up when submitting.
Q: How do spot checks affect my rep/signal/impact stats?
A: Spot checks don’t currently affect reputation, signal, or impact statistics.
Q: How do I get involved in spot checks?
A: You will receive an invitation email whenever you are invited to join a spot check. The higher your reputation, the more likely you will be invited to a spot check.