Skip to main content

Building a Bug Bounty Program with VPN Requirements

Grant Hunters access to specific perimeters with our VPN

Updated this week

Why require Hunters to use the YesWeHack VPN?

Requiring researchers to connect via a VPN provides several key benefits:

  • IP Whitelisting

    Simplify perimeter defense by allowing only traffic from known, trusted IP addresses, while easily monitoring hunters' activity.

  • Secure access to private & sensitive assets

    Restrict access to staging environments or internal applications that aren’t exposed to the public internet.

Which scopes should require VPN access?

Therefore, check for scopes with the following attributes:

  • Non-Public Assets

    If the system is not accessible over the public internet (e.g., internal IP ranges, staging environments), VPN access is likely needed.

  • Assets Behind a Firewall or IP Whitelisting

    Scopes that require specific IPs to be whitelisted for access should use a VPN.

💡Use case examples:

  • Public Asset, No IP filtering: No VPN required.

  • Public Asset, IP filtering: VPN required.

  • Public Asset with a dynamic IP and IP filtering: VPN required. Reach out to your Customer Success Manager for the implementation.

  • Private asset, no public IP address: Discuss ad-hoc solutions with your Customer Success Manager.

How to configure the VPN on your programs

  • Go to the “Admin Panel”

  • Select the program with the relevant scopes and click on “Edit”

  • Go to the “Hunting Requirements” section

  • Enter one IP address or range per line to cover your different scopes

    For instance:

💡Tips

You only need to include the scopes for which you want Hunters to use a VPN. If required, an automated check will route requests through the VPN’s outbound IP address.

The VPN requirement will be visible to Hunters once your program changes are saved. You will also be able to view the outbound IP address of the YesWeHack VPN.

💡Whitelist the VPN Outbound IP in your tools to ensure proper access to your assets.

To consult the VPN configuration file:

  • Go to “My YesWeHack Tools” in the profile drop-down, on the top-right menu

  • Click on “VPN”

  • Click on “Download my VPN configuration”

The configuration file looks like this:

ℹ️ It is also possible to create a dedicated password to log in to the VPN configuration.

Related Articles
Bug Bounty Certification
How to create a Bug Bounty program in Grey-box
Bug Bounty program creation
Organisations' Scopes & Rewards
YesWeHack VPN & User-agent
Did this answer your question?