Defining Scope

Define which assets you want hackers to hack on and how bounty applies

Updated over a week ago

Your Scope is a collection of assets you want hackers to hack on. When assets are listed, hackers are required to select the applicable asset for each report. Any special requirements will now be explicitly attached to the particular asset in question.

To Create and Edit your Scope

To view and edit your existing scope:

  1. Go to the Scope section in Program Settings > Program > Scope.
    ​

    Scope settings
  2. Click on Add asset. It will bring you to this page:
    ​

  3. Fill out the different fields and click Save. For each asset, you can fill out:

Option

Details

Types

The asset type.
You can choose from these options: CIDR, Domain, iOS: App Store, iOS: Testflight, iOS: .ipa, Android: Play Store, Android: .apk, Windows: Microsoft Store, Source Code, Executable, Hardware/loT, Other.

Identifier

How hackers will know that they are at the correct asset that you specified.

Eligibility for Submission

Whether you want hackers to submit reports about this asset. If you select "no", hackers will see the asset on a report form with a red warning and won't be able to submit reports marked for this asset.

Eligibility for Bounty

Whether you intend on providing bounties for this asset or not. If you have a mixed Bug Bounty/Vulnerability Disclosure program, you'll want to explicitly mark the assets you will or will not pay for. This shows up to hackers on both your team profile and the report submission form.

These metrics determine the severity of the vulnerability for the asset. You can adjust the severity of each vulnerability submission based on the environment by specifying the maximum impact on Confidentiality, Integrity, or Availability of that asset's data.

Asset Labels

Add specific labels to the different categories pertaining to the asset. You can add asset labels to these fields: Coding Language, Framework, Cloud and Infrastructure, Database, Content Management System, Country, Spoken Language, and Cryptocurrency.
​
The labeled descriptors provide more granular data about the program and the assets associated with it. This helps with matching the right hackers to your program.

Instruction

If you have any detailed descriptions or comments on the asset, this field will show on both your program profile page and your report submission form.

Why Should I Define My Scope?

  • Defining assets clearly helps you communicate with hackers easily.

    • For an asset you don't want reports on, list it as out of scope. Hackers can't submit for that asset and will see a red warning when they select that asset.

    • For an asset that you won't pay bounties for, communicate this up front by setting the bounty eligibility to false. When hackers submit, they will receive a warning that this is not a paid asset. This is only applicable to Bug Bounty Programs.

  • Setting asset importance will help you set better priorities via better report severity.

    • When you set the Environmental Score of your asset, we automatically limit the severity of the report based on the risk profile of the asset. For example, it might be impossible for you to have a "Critical" vulnerability in a static marketing asset.

  • Your reports will be tagged by the selected asset.

    • You can sort through your reports by asset, such as differentiating the reports for your mobile app vs. your web app.

    • Do data analysis per domain - Is it time to switch your marketing site provider, because all your vulnerabilities stem from that area? Is one particular engineering team responsible for 90% of your Cross-Site Scripting vulnerabilities?

Did this answer your question?