Hackers submit reports to your security team that contain detailed information about the security issues that the hacker has identified.
One of the most important elements of running a successful bug bounty campaign is ensuring you get high quality reports where hackers are providing you with all the information you need to verify and validate the vulnerability. You can customize the form where hackers submit their vulnerability reports.
Customizing the Report Submissions Form Page
To customize your report submissions form page:
Go to Engagements > Settings > Program > Submit Report Form.
Toggle Yes or No for these options:
Accepting new report submissions
Set to Yes if you'd like to receive new report submissions.
Set to No to stop receiving new reports. A good time to stop receiving new reports is if you're behind with triaging and responding to the current reports you've received. You can pause in receiving new reports to catch up with your current reports.
Accepting critical report submissions even when not accepting new reports
Even if you're not accepting new report submissions, hackers can still submit new reports if they find critical vulnerabilities in your program. Set to Yes if you're currently paused in receiving new report submissions but still want to receive critical reports.
Edit these sections:
This text is shown at the top of the report submissions page for hackers. You can:
highlight important information from your policy and bounty eligibility
specify attributes of a good report
address frequently asked questions
provide any additional guidance for hackers
Configure the Markdown-based report template with the information you want hackers to provide. The template will be pre-populated with your requested fields when a hacker submits a new report. The more details you provide in the template, the more you ensure that hackers are providing you with all the information you need to verify and validate the report. Note: The template must be written in Markdown.
A weakness is a type of mistake in software that introduces vulnerabilities within that software. All weaknesses are shown by default and are organized in clusters (a set of weaknesses). To edit vulnerability display preferences, click Edit and you can choose from these options:
Show: Reports can be submitted. You can add a contextual message if you have extra instructions or information pertaining to the weakness. Hackers can see the extra instructions on the submission page after selection.
Hide: The weakness isn't shown on the submission page and is not available to be selected by hackers.
Disable: The weakness will be displayed, but reports with this weakness can't be submitted. This option is often used if there is a common weakness type you've decided to put out of scope and you wish to attach an explanation of why this weakness type is out of scope.