Why the grey-box approach
Grey-box security testing is a security assessment approach in which the tester has partial knowledge of the system under evaluation. In the context of Bug Bounty programs, it typically involves providing Hunters with credentials to specific environments.
This access enables a deeper exploration of vulnerabilities — including post-authentication flaws, API misuse, business logic errors, and misconfigurations — that might be missed during black-box testing.
Grey-box testing forms a critical part of an in-depth security strategy, helping programs achieve state-of-the-art protection for their most critical and complex assets.
ℹ️ Do not hesitate to reach out to your Customer Success Manager to get guidance on the best testing strategy moving forward.
How to set it up for Hunters?
Go to the “Admin Panel”
“Edit” the program of your choice
ℹ️ To learn more about program creation and standard features (rules, scopes, qualifying vulnerabilities, etc.) check this article.
Go to the “Hunting Requirements” section of the program page
Indicate the scopes with limited accesses and how you wish them to be tested
We will now learn how to create and manage a credentials pool.
How to manage credentials?
The YesWeHack platform provides organisations with Credentials Management features to create, assign, or revoke accesses to Hunters on specific scopes.
ℹ️ These features are only available on Private Programs.
There are two options to manage credentials on the platform:
Email credentials: Hunters request credentials through the platform and provide you with an email address. You are notified of this request, may create the account within your system based on the provided email address, and make it available to them on the platform.
Login credentials: Hunters get credentials from an existing batch of accounts. These accounts are provisioned and imported into the platform by yourself. They will be assigned automatically to hunters when they request credentials on the program.
Both options are based on credential pools, which can be tailored to match your assets and testing needs. For example, you can create pools offering different levels of access rights (e.g., Basic, Advanced, Admin).
💡 For each credentials pool, you can:
Edit the pool (title, descriptions, number of accounts per hunter);
Consult the status and assignment of credentials;
Revoke or update assignments;
Disable the whole pool.
Email credentials – Give Hunters accesses upon request
Go to the “Admin Panel”
Click on “Edit” for the program of your choice
Go to “Credentials” in the left-side panel
Click on “Add credentials pool”
Select “Email Credentials”
Define a “Title” and a “Description” for this
For example: “Admin credentials for example.com”
Select the number of credentials a Hunter will receive upon request
💡 Tips
A best practice is to provide 2 test accounts for each Hunter. This is especially useful when they try to access data of the Account A with the Account B.
(optional) Allow YesWeHack email aliases to request credentials. Use this option if you want all hunters to use the same email format ([email protected]). It might be easier for your monitoring, but make sure that this email domain is supported by your organisation.
Once your pool has been created, it needs to be activated.
Click on “Activate pool” in the Admin Panel / Credentials tab
Invited Hunters are now able to request credentials. These requests will appear in the configuration panel of your Credential Pool, in the Admin Panel, and will appear pending:
Open the pending request to access more details
You will be able to see the email provided by the hunter.
Collect this email and manage it on your side to create the account
Come back on the platform and click on “Validate”
2 options are now possible:
Option 1: Provide the password in the platform;
Option 2: Rely on an external email solution and confirm to the hunter that the account has been created.
Option 1: Provide the password in the platform
Check “Specific password”
Type in the password of your choice
Click on “Validate”
Option 2: Rely on an external email solution
You also have the option of activating the account via an external solution. This option relies on your internal tools & processes to send the password via email to the Hunters.
For example, the user will receive an automatic email to activate the account by himself and create a password himself.
Check “Activation by external email solution”
Click on “Validate”
Hunters will receive a confirmation email once credentials are given:
Login credentials – Provision a batch of ready-to-use accounts
Go to the “Admin Panel”
Click on “Edit” for the program of your choice
Go to “Credentials” in the left-side panel
Click on “Add credentials pool”
Select “Login Credentials”
Define a "Title" and a "Description" for this pool
For example: "Admin credentials for example.com"
Select the number of credentials a Hunter will receive upon request
💡Tips
A best practice is to provide 2 test accounts for each Hunter. This is especially useful when they try to access data of the Account A with the Account B.
You must now add credentials to this pool before activating it:
Click on “+ Add Credentials”
Select the method of your choice:
Method 1: Add credentials manually
Type the login & password the every account you would like to add
Click on “Validate”
Method 2: Import a CSV file based on very straightforward template : login, password, and username in case you would like to add already assigned credentials.
Your Login Credentials pool is now created and credentials have been added.
Click on “Activate pool” to make it available to Hunters
Track in real time which credentials have been assigned and which remain available.
ℹ️ Make sure to always have credentials ready for your Hunters, especially before inviting new ones to your program.