Assign Roles and Permissions to your team members
The YesWeHack platform enables you to set different roles & permissions for your collaborators. We provide a very granular approach to align with your internal organisation and structure.
Main roles and accesses
The YesWeHack platform revolves around 3 main objects for roles and permissions:
Business Units: this is the highest layer of the platform, associated to the organisation level. From the Business Unit layer, you are able to access all programs & vulnerability reports.
Programs: this is the layer associated to specific testing campaigns (e.g., a Bug Bounty program, a pentest campaign, a VDP, etc.). From the program layer, you are able to access the program and all vulnerability reports of this program. You cannot access other programs, or other programs' reports.
Vulnerability reports: this is the lowest access layer of the platform, it is associated to a specific vulnerability report. From the report layer, you are only able to access the vulnerability report. You have cannot view other reports, the program, nor the organisation.
The roles & permissions that can be assigned to your collaborators give different access rights for these 3 categories.
ℹ️ Learn more about how to invite new team members here.
The permissions of each role are detailed in the table below.
ℹ️ VDPs and a Featured VDPs are both considered as programs. However, in the case of a VDP, the program manager cannot interact with the person who reported the vulnerability.
Team members roles
| BU
Owner | BU
Manager | BU
Accouting Manager | BU
Surface Manager | Program
Manager | Program
Auditor | Program
Analyst | Program
Viewer | Program
Triager | Report
Auditor | Report
Viewer |
Business Unit Actions |
|
|
|
|
|
|
|
|
|
|
|
Edit BU | ✓ | ✓ | ✓ |
|
|
|
|
|
|
|
|
Invite BU Member | ✓ | ✓ |
|
|
|
|
|
|
|
|
|
Refill Wallet | ✓ | ✓ | ✓ |
|
|
|
|
|
|
|
|
Request License | ✓ | ✓ | ✓ |
|
|
|
|
|
|
|
|
Activate SSO | ✓ | ✓ |
|
|
|
|
|
|
|
|
|
Consult Audit Logs | ✓ | ✓ |
|
|
|
|
|
|
|
|
|
Create Personal Access Token | ✓ | ✓ |
|
| ✓ |
|
|
|
|
|
|
Create Groups | ✓ | ✓ |
|
|
|
|
|
|
|
|
|
Create Response Templates | ✓ | ✓ | ✓ |
|
|
|
|
|
|
|
|
Manage assets | ✓ | ✓ |
| ✓ |
|
|
|
|
|
|
|
Program Actions (Bug Bounty, Pentest and VDP) |
|
|
|
|
|
|
|
|
|
|
|
Create Program | ✓ | ✓ |
|
|
|
|
|
|
|
|
|
Edit Program | ✓ | ✓ |
|
| ✓ |
|
|
|
|
|
|
Invite Program Member | ✓ | ✓ |
|
| ✓ |
|
|
|
|
|
|
Invite hunter or pentester | ✓ | ✓ |
|
| ✓ |
|
|
|
|
|
|
Import Reports | ✓ | ✓ |
|
| ✓ |
|
|
|
|
|
|
Create Report Templates | ✓ | ✓ |
|
| ✓ |
|
|
|
|
|
|
Report Actions |
|
|
|
|
|
|
|
|
|
|
|
Consult Report | ✓ | ✓ |
| ✓
(only on ASM reports) | ✓ | ✓ | ✓
(only on closed reports) | ✓ | ✓ | ✓ | ✓ |
Consult Report Updates | ✓ | ✓ |
| ✓
(only on ASM reports) | ✓ | ✓ | ✓
(only on closed reports) | ✓ | ✓ | ✓ | ✓ |
Consult Private Comments | ✓ | ✓ |
| ✓
(only on ASM reports) | ✓ | ✓ |
|
| ✓ | ✓ |
|
Update Report | ✓ | ✓ |
| ✓
(only on ASM reports) | ✓ | ✓ |
|
| ✓ | ✓ |
|
Comment Report | ✓ | ✓ |
| ✓
(only on ASM reports) | ✓ | ✓ |
|
| ✓ | ✓ |
|
Set Report priority | ✓ | ✓ |
| ✓
(only on ASM reports) | ✓ | ✓ |
|
| ✓ | ✓ |
|
Export Report | ✓ | ✓ |
| ✓
(only on ASM reports) | ✓ | ✓ | ✓ | ✓ |
| ✓ | ✓ |
Invite Report Member | ✓ | ✓ |
| ✓
(only on ASM reports) | ✓ | ✓ |
|
| ✓ |
|
|
Consult Reward Amount | ✓ | ✓ |
|
| ✓ | ✓ |
|
| ✓ | ✓ |
|
Set Reward | ✓ | ✓ |
|
| ✓ |
|
|
|
|
|
|
Role examples:
A “Business Unit Manager” is the role with the most privileges on the platform. These are exactly the same as the Business Unit Owner (the one who created the company) and can be used as a back-up.
A “Business Unit Surface manager” manages assets and reports only related to the Attack Surface product.
A "Program Analyst" has access to closed reports (e.g. 'Resolved') for knowledge sharing and post-analysis.
A “Report viewer” can view a specific report without editing it. It is usually used to share information to a key stakeholder on an individual vulnerability.
Security Researchers Roles
| Hunters | Pentesters | External reporters
(For VDP programs) |
View other reports from the program |
| ✓ |
|
Create a report | ✓ | ✓ | ✓ |
Edit report description |
| ✓ |
|
Edit report metadata | ✓ | ✓ |
|
Comment on the report | ✓ | ✓ |
|
Multiple role assignment
Each role is structured around:
A person
An item: Business Unit, Program or Vulnerability Report
An access: Manager, Viewer, Auditor, etc.
A person can have multiple roles, but they cannot be combined on the same item.
Examples:
A Program Manager cannot be invited as a Program Viewer on the same program
A member can be both a Hunter and a Pentester on different programs