Welcome Edit the Doc Site Product Offerings Program Starting Point Program Types Private vs. Public Programs Parent/Child Programs VDP vs. BBP Using Markdown Running a Good Program General Settings Security Page Program Metrics Response Target Indicators Top Hackers Policy and Scope Good Policies Defining Scope Scope Best Practices Asset Types Severity Environmental Score Bounty Tables Importance of Bounty Tables Submit Report Form Report Templates Pausing Report Submissions Response Targets Response Target Metrics Setting Response Targets Invitations CVE Requests Submission Signal Requirements Human-Augmented Signal Groups and Permissions Single Sign-On via SAML JIT Provisioning Domain Verification Google Okta OneLogin FAQs Two-Factor Authentication Invalid OTP Code Sessions Credential Management Notifications Response Programs Inbox Inbox Views Report Management Report Actions Report States Report Components Quality Reports Locking Reports Duplicate Reports Exporting Reports Response Labels Keyboard Shortcuts Custom Fields Disclosure Limiting Disclosed Information Retesting Automation Common Responses Triggers Hackbot Reducing Noise Supported Integrations Integration Variables Webhooks API Tokens Assembla Bugzilla Freshdesk GitHub GitLab HackEDU IBM Resilient Jira Jira Cloud Setup Jira Server Setup Multiple Integrations Jira FAQs Kenna Security MantisBT Microsoft Teams OTRS PagerDuty Phabricator Redmine ServiceNow Slack Splunk Sumo Logic Trac Zendesk Billing Bounties Swag Bonuses Dashboards Submissions Dashboard Statistics Dashboard Hacker Feedback Dashboard Explore Audit Logs Hacktivity Communicating with Hackers Message Hackers Banning Hackers Hacker Email Alias Hacker Mediation Hacker Reviews Disclosure Assistance Advanced Vetting Gateway FAQs Pentest Overview FAQs Email Forwarding Embedded Submission Form Import Vulnerabilities IP Allowlists Password Best Practices Slack Shared Channels Policy and Scope The policy section enables organizations to publish information about their program in order to communicate the specifics about their program to hackers. Organizations typically publish a vulnerability disclosure policy with guidance on how they want to receive information related to potential vulnerabilities in their products or online services.
The policy also includes your program’s scope which is the list of items you'd like hackers to test and send reports in for. It is often defined by the domain name for web applications, or by the specific App Store / Play store mobile apps that your company builds.