The Credential Management feature enables you to easily share access credentials with hackers so that you don't have to constantly create sign-in credentials for each new hacker who participates in your program. This also enables participating hackers to quickly retrieve the credentials needed to find vulnerabilities in your program.
Note: This feature is currently only available for private Bug Bounty programs.
Setup
To set up Credential Management for your program:
Go to Program Settings > General > Credential Management.
Click Import CSV file to upload the CSV file of credentials that you want to share. The CSV file supports a set of headers and values where each row is a set of credentials that can be claimed by a hacker.
Click Next.
Review your uploaded credentials in the preview window and click Next.
Write instructions you want to communicate to the hacker when they claim one of your credentials.
Click Done.
Your uploaded credentials will populate on your Credential Management page where you can see which credentials have or haven’t been claimed. Claimed credentials will also display the username of the hacker under the Claimed by column. From here, you also have the option to edit, revoke, or recycle credentials.
If a hacker has violated your policy or HackerOne’s code of conduct, you can revoke the credential rights of a hacker by clicking Revoke next to the username of the hacker. You'll also need to invalidate the account on your own platform to prevent the hacker from logging in.
The username of the account the hacker created using the provided credentials will display on the submitted report under the Account details used section.
How It Works
Once you’ve set up credential management, hackers participating in your program will be able to retrieve their credentials by clicking the Show Credentials button on your security page.
The Credentials window will then display instructions where the hacker can claim one of the credentials you’ve provided. They’ll be prompted to enter the username of the account they created using the credentials provided.
Hackers can only claim 1 set of credentials. If they want a second set of credentials, you can revoke their first set and then have them request another.