How to add a credentials pool?
The YesWeHack platform provides organisations with Credentials Management features to create, assign, or revoke accesses to Hunters or Pentesters on specific scopes.
⚠️These features are only available on Private Programs (Pentest or Bug Bounty programs).
There are two options to manage credentials on the platform:
Email credentials: Hunters/Pentesters request credentials through the platform and provide you with an email address. You are notified of this request, may create the account within your system based on the provided email address, and make it available to them on the platform.
Login credentials: Hunters/Pentesters get credentials from an existing batch of accounts. These accounts are provisioned and imported into the platform by yourself. They will be assigned automatically to Hunters/Pentesters when they request credentials on the program.
Both options are based on credential pools, which can be tailored to match your assets and testing needs. For example, you can create pools offering different levels of access rights (e.g., Basic, Advanced, Admin).
💡For each credentials pool, you can:
Edit the pool (title, descriptions, number of accounts per Hunter or Pentester)
Consult the status and assignment of credentials
Revoke or update assignments
Disable the whole pool
Email credentials – Give accesses upon request
Go to the “Admin Panel”
Click on “Edit” for the program of your choice
Go to “Credentials” in the left-side panel
Click on “Add credentials pool”
Select “Email Credentials”
Define a “Title” and a “Description” for this pool
For example: “Admin credentials for example.com”
Select the number of credentials an Hunter/Pentester will receive upon request
💡Tips
A best practice is to provide 2 test accounts for each Hunter or Pentester. This is especially useful when they try to access data of the Account A with the Account B.
(optional) Allow YesWeHack email aliases to request credentials. Use this option if you want all Hunters/Pentesters to use the same email format ([email protected]). It might be easier for your monitoring, but make sure that this email domain is supported by your organisation.
Once your pool has been created, it needs to be activated.
Click on “Activate pool” in the Admin Panel / Credentials tab
Invited Hunters/Pentesters are now able to request credentials. These requests will appear in the configuration panel of your Credentials Pool, in the Admin Panel, and will appear pending:
Open the pending request to access more details
You will be able to see the email provided by the Hunter or Pentester.
Collect this email and manage it on your side to create the account
Come back on the platform and click on “Validate”
2 options are now possible:
Option 1: Provide the password in the platform
Option 2: Rely on an external email solution and confirm to the pentester/hunter that the account has been created
Option 1: Provide the password in the platform
Check “Specific password”
Type in the password of your choice
Click on “Validate”
Option 2: Rely on an external email solution
You also have the option of activating the account via an external solution. This option relies on your internal tools & processes to send the password via email to the Hunters/Pentesters.
For example, the user will receive an automatic email to activate the account by himself and create a password himself.
Check “Activation by external email solution”
Click on “Validate”
Hunters/Pentesters will receive a confirmation email once credentials are given:
Login credentials – Provision a batch of ready-to-use accounts
Go to the “Admin Panel”
Click on “Edit” for the program of your choice
Go to “Credentials” in the left-side panel
Click on “Add credentials pool”
Select “Login Credentials”
Define a “Title” and a “Description” for this pool:
For example: “Admin credentials for http://Example.com”
Select the number of credentials an Hunter or Pentester will receive upon request
💡 Tips
A best practice is to provide 2 test accounts for each Hunter or Pentester. This is especially useful when they try to access data of the Account A with the Account B.
You must now add credentials to this pool before activating it:
Click on “+ Add Credentials”
Select the method of your choice:
Method 1: Add credentials manually
Type the login & password the every account you would like to add
Click on “Validate”
Method 2: Import a CSV file
Import a CSV file based on very straightforward template : login, password, and username in case you would like to add already assigned credentials.
Your Login Credentials pool is now created and credentials have been added.
Click on “Activate pool” to make it available to Hunters/Pentesters
Track in real time which credentials have been assigned and which remain available.
⚠️ Make sure to always have credentials ready for your Hunters or Pentesters, especially before inviting new ones to your program.