Understanding BUO and BUM Roles on YesWeHack
When managing programs on YesWeHack, certain roles have specific permissions. Two key roles are Business Unit Owner (BUO) and Business Unit Manager (BUM).
What is a BUO?
A BUO (Business Unit Owner) is the person who holds the highest-level responsibility for a Business Unit within your organisation.
In practice, this role is most often assigned to the decision‑maker linked to the project — not necessarily the person who will manage the program(s) on a daily basis.
It is typically given to the contract‑signer or governance owner of the scope, such as a CISO / RSSI or any senior stakeholder overseeing the unit.
Key responsibilities:
Holding overall governance of the Business Unit
Defining the strategic direction and validating program creation
Delegating operational roles to team members who will manage day-to-day activities
Managing high‑level settings and approvals for all programs within the BU
ℹ️ Each Business Unit has only one Business Unit owner, but it can have several Business Unit managers.
What is a BUM?
A BUM (Business Unit Manager) is typically the project lead responsible for the operational management of the programs within a Business Unit.
Unlike the BUO, who oversees governance and strategic decisions, the BUM handles the day‑to‑day execution of the programs.
This role is usually assigned to the person who will actively manage the lifecycle of the program — making them the primary point of contact for operational matters.
Key responsibilities:
Creating and configuring new programs
Managing the operational follow‑up of reports and researcher interactions
Working closely with the BUO to ensure smooth execution
Acting as the main interface for program coordination
ℹ️ A Business Unit Owner can revoke a Business Unit Manager but not the opposite.
Who can create a bug bounty program?
Only BUO and BUM roles have the permission to create a new program (ie., Pentest management, Bug Bounty, Featured VDP).
Other roles, such as Program Manager (PM), can edit existing programs but cannot create new ones.
ℹ️ To know more about roles and permissions click here.
Summary Table
Role | Can create program? | Can edit program? |
Business Unit Owner (BUO) | Yes | Yes |
Business Unit Manager (BUM) | Yes | Yes |
Program Manager (PM) | No | Yes |
Why is this important?
Restricting program creation to BUO and BUM ensures:
Proper governance and accountability
Alignment with organisational security policies
Controlled access to sensitive program configurations