Skip to main content

Roles & permissions

Learn more about the different platform roles and their access rights

Updated this week

Assign Roles and Permissions to your team members

The YesWeHack platform enables you to set different roles & permissions for your collaborators. We provide a very granular approach to align with your internal organisation and structure.


Main roles and accesses

The YesWeHack platform revolves around 3 main objects for roles and permissions:

  • Business Units: this is the highest layer of the platform, associated to the organisation level. From the Business Unit layer, you are able to access all programs & vulnerability reports.

  • Programs: this is the layer associated to specific testing campaigns (e.g., a Bug Bounty program, a pentest campaign, a VDP, etc.). From the program layer, you are able to access the program and all vulnerability reports of this program. You cannot access other programs, or other programs' reports.

  • Vulnerability reports: this is the lowest access layer of the platform, it is associated to a specific vulnerability report. From the report layer, you are only able to access the vulnerability report. You have cannot view other reports, the program, nor the organisation.

The roles & permissions that can be assigned to your collaborators give different access rights for these 3 categories.

ℹ️ Learn more about how to invite new team members here.

The permissions of each role are detailed in the table below.

ℹ️ VDPs and a Featured VDPs are both considered as programs. However, in the case of a VDP, the program manager cannot interact with the person who reported the vulnerability.

Team members roles

Role examples:

  • A “Business Unit Manager” is the role with the most privileges on the platform. These are exactly the same as the Business Unit Owner (the one who created the company) and can be used as a back-up.

  • A “Business Unit Surface manager” manages assets and reports only related to the Attack Surface product.

  • A "Program Analyst" has access to closed reports (e.g. 'Resolved') for knowledge sharing and post-analysis.

  • A “Report viewer” can view a specific report without editing it. It is usually used to share information to a key stakeholder on an individual vulnerability.

Security Researchers Roles

Multiple role assignment

Each role is structured around:

  • A person

  • An item: Business Unit, Program or Vulnerability Report

  • An access: Manager, Viewer, Auditor, etc.

A person can have multiple roles, but they cannot be combined on the same item.

Examples:

  • A Program Manager cannot be invited as a Program Viewer on the same program

  • A member can be both a Hunter and a Pentester on different programs

Did this answer your question?