Why launching a Bug Bounty program
A Bug Bounty program gives you access to a diverse, unlimited pool of skilled security researchers.
Our community of hunters provides a continuous audit of your growing attack surface to uncover high impact vulnerabilities – even on heavily-pentested scopes.
Extend your testing capabilities and maximise test coverage with Bug Bounty programs!
How to create a Bug Bounty Program
ℹ️ You must be a Business Unit Owner or a Business Unit Manager to set up a program, but Program managers can edit their program(s).
Go to the “Admin Panel”
Select the “Bug Bounty” tab
Click on “+ Bug Bounty”
ℹ️ To save time when creating a new program, you can clone an existing one (e.g., to get started, you can clone the Demo Bug Bounty Program to create your first one). Learn more in the “Program cloning and archiving” section.
Program Details
Let's fill out the key information of your program.
⚠️ Important: the title you choose will appear in the program’s URL. It cannot be changed afterward without admin assistance.
Add the “tags” of your choice (optional)
ℹ️ Learn how to add tags on the platform here.
Select the “Supported languages” (5 languages maximum)
ℹ️ It is recommended to use English in order to ensure consistent and easy-to-process reports, regardless of their source.
Program Configuration
Change the “state” of your program (by default, the program is disabled)
Choose a private or a public “visibility”
ℹ️ Reach our to your Customer Success Manager for the best strategy in terms of visibility. Programs usually start in private before ramping up to public.
Enable the “Security” option to require users to set up TOTP before accessing Bug Bounty content
ℹ️ Security: This option is only for private programs and does not affect users using SSO authentication.
Check “collaboration” to allow Hunters to collaborate and share the rewards of a given report
Focus on Hunter collaboration
Hunter collaboration is a program feature allowing several hunters to submit a report together and share the reward.
As a program manager, you can interact with several hunters on a given report and benefit from their skills, without worrying about reward sharing. Indeed, the reward will automatically be shared between the hunters.
This is totally transparent for the program manager and often results in interesting findings.
We strongly recommend to use it!
Check “Video attachment” to enable Hunters to attach videos to their reports. This might prove useful when demonstrating a proof of concept.
Several features are also available to share more information on the program to hunters. These can be useful to attract additional hunters and drive engagement on your programs.
“Hacktivity” gives the report flow submitted by Hunters
“Reports per scope” indicate the number of reports that have been submitted in each scope of the program
“Hall of fame” ranks the Hunters on the program, based on submitted reports and points earned
SLAs
Define the expected remediation time (i.e., the “service level agreement for remediation”) from 'Accepted' to 'Resolved' status
Focus on SLA for remediation
In the platform, you can configure a Service Level Agreement (SLA) for remediation in days. For each severity level, you can specify the expected time for a vulnerability to be remediated. Note: Hunters do not have visibility on the SLA.
When enabled, it automatically computes a "due date" based on each report's acceptance date (status "Accepted"). The remediation (status "Resolved") must be completed before this due date otherwise; the report will be considered "overdue".
SLAs are applied to each report according to the policy configured, when the report has been created.
You can track SLAs across all your reports with our SLA Dashboard.
Hunting requirements (Optional)
Tick the “VPN” box to inform hunters that a VPN must be used and to route their traffic through YesWeHack’s VPN server towards your IPs (e.g., when the scope is not otherwise accessible, or to ease IP ban restrictions)
ℹ️ Learn more about the YesWeHack VPN in our dedicated article.
Define the “Account access” (e.g. “This program also allows greybox testing. You can request and automatically obtain credentials.”)
ℹ️ Read more about credentials and how to provide them to Hunters here.
If you want hunters to append a specific string to their user-agent when testing your platform, write the value in the “User Agent” field.
⚠️ Do not use something which can be guessed (e.g., prefer « BugBounty/MYC0MP4N7-1337 » instead of "BugBountyYesWeHack")
Bug Bounty Description
Define each “Scope type”, “Scope” and “Asset value” (Note: each asset value is attached to a specific reward grid)
ℹ️ A well defined program is made of precise rules and scopes. Check this article to learn more about scopes and how they impact hunters' rewards.
Include as many scope as needed by clicking on “+ Add scope”
ℹ️ Make sure to be exhaustive when listing your scope. Anything not listed will be considered out of scope for testing.
Do not hesitate to reach out to your Customer Success Manager for support.
List the “Qualifying and Non-Qualifying Vulnerabilities”, and clarify what is considered “out of scope” (one per line)
ℹ️ Tip: Clone the demo Bug Bounty Program and retrieve an existing list of qualifying and non-qualifying vulnerabilities to use for your program.
“Leaks and Exposed Credentials” can be defined in the platform as eligible for a reward. They depend on:
The source of the leak (i.e., is the source an asset in scope of this program)
The impacted asset (i.e., is the asset in scope of this program)
ℹ️ Default values are defined within the YesWeHack Admin platform, and modifications require admin validation.
Define the:
“Reward Type” (bounty or gift)
“Reward Visibility” (max reward vs. average reward)
“Amount of Rewards” based on the assets' severity. This grid will guide hunters towards high value assets and help YesWeHack’s triage assessment of the impact.
ℹ️ Take your time to configure this grid. Leverage your Customer Success Manager and their expertise on Bug Bounty programs to help you define it.
Some vulnerabilities can be reported multiple times when triggered through different parameters.
For instance:
An XSS affecting different parameters on the same vulnerable page
The same vulnerability on several scopes (e.g., IDOR sur app.domain.com via /invoices/user/1 and IDOR on preprod-app.domain.com also via invoices/user/1)
These are called Systemic Issues.
YesWeHack’s platform enables you to define decreasing rewards for this type of issues.
ℹ️ This “Systemic Issues Grid” facilitates report management and provides Hunters with clear visibility into the program’s reward policy.
The triage’s assessment takes into account Systemic Issues' decreasing grid in the reward suggestions.
The next part of the program creation is dedicated to the program "policy".
This is essentially the set of rules that Hunters must follow for you programs, as well as information about the different scopes.
Write the program “Policy” in the text field. Include as many details as you deem important for Hunters.
YesWeHack provides a template and guidance through our Customer Success Managers.
Upload your files in the Attachments area, or simply drag & drop them (optional). These additional documents might help Hunter better understand your programs and the assets to be tested.
Focus on program attachments
Attaching files to your programs provides Hunters with more testing resources.
Supported formats:
JPEG, PNG, TXT, PDF (5MB max)
APK, AAB, IPA, ZIP (500MB max)
An ID and a reference link will be generated for each uploaded file:
Program attachments do not appear directly to Hunters.
Their reference links must be copied in the Policy Description or Hunting Requirements/Account Access text areas.
You can either:
Put a direct link to the file by adding the file ID (i.e. YWH-PXXX) in the description.
Put an image inline by copying the reference link, or manually using {YWH-PXXX} syntax in the description.
Before completing your program creation, you can use the preview mode to make sure that it renders as expected.
Click on “Save”
Your Bug Bounty Program is now created!
Program cloning and archiving
You can clone your previous programs as a template to save time when creating new ones. You may also simply archive them.
Program cloning
There might be a lot of similarities between two organisation’s programs:
List of qualifying vulnerabilities
Company information
Program rules
Titles and layout
Program creation forms being quite detailed, with numerous fields to fill-out, you will be pleased to conveniently clone an existing program and only modify what’s necessary.
ℹ️ You must be a Business Unit Owner or a Business Unit Manager to clone a program.
Go to the “Admin Panel”, then “Programs”
Click on “…” (i.e., more info) on the program of your choice
Click on “Clone bug bounty”
When you click this button, it generates a copy of said program in a new creation form.
Then, you can simply use that copy and focus on what needs to be modified, or added, in this specific program context (e.g. Scope type, Scope and Asset value).
Once done, just click on “Clone Bug Bounty” and the new program will be created.
ℹ️ As per any other program it will remain in draft status until finalized, reviewed, and validated by the YesWeHack Customer Success team.
Program archiving
For traceability, integrity, and accountability issues, it is not possible to delete a program, but you can archive it.
ℹ️ You can still see all reports related to an archived program in the Vulnerability Center by selecting this program in the filters.
Archive all your programs (e.g. enabled or definitely closed Bug Bounty program) as follow:
Go to the “Admin Panel”, then “Programs”
Click on “…” (i.e., more info) on the program of your choice
Click on “Achive bug bounty”
Once done, your program will be sent to the bottom of your program list.
If you want to unarchive a program, simply select “…” again and click on 'unarchive program'.