Bugcrowd believes that the coordinated, orderly, public disclosure of vulnerabilities is a healthy and important part of the vulnerability disclosure process. The following Disclosure policies apply to all submissions made through the Bugcrowd platform (including New, Triaged, Unresolved, Resolved, Duplicates, Out of Scope, Not Applicable and Won’t Fix submissions). We encourage Program Owners and researchers to work together to share information in a mutually agreed upon manner. This section explains Disclosure options at Bugcrowd to both Program Owners and Crowd members.
Coordinated Disclosure is the default recommended policy for all new public programs, and is strongly recommended but optional for ongoing private bounty programs. Under this model, Program Owners commit to allowing researchers to publish mutually agreed on information about the vulnerability after it has been fixed. Program Owners still require explicit permission to disclose in the submission record. This applies to all submissions to the program, regardless of validity or acceptance.
Under the principle of Bugcrowd's Coordinated Disclosure, researchers are able to externally disclose limited or full disclosures approved by Program Owners.
Bugcrowd's Coordinated Disclosure allows for Program Owners and Researchers to work through the disclosure process, during which, all parties must agree upon a date and the level of disclosure (limited or full) for a vulnerability or exploit to be disclosed. Once the vulnerability or exploit is disclosed on Bugcrowd's platform, the Researcher can disclose the vulnerability or exploit publicly as long as it adheres to the agreed-upon type of disclosure - limited or full, and any other parameters agreed upon for the disclosure.
Nondisclosure is the default policy for OnDemand and continuous Next Generation Penetration Testing and is common in private bounty programs. In the absence of a Coordinated or Custom Disclosure policy (or in the case of any ambiguity) the expectation of the researcher and the Program Owner is nondisclosure. This is documented in our Standard Disclosure Terms and Researcher Code of Conduct. **This means no submissions may be publicly disclosed at any time and is designated by the following text in the program bounty brief:
On occasion, Bugcrowd customers customize disclosure requirements in their bounty brief. An example of that is Tesla, which states:
The existence or details of private programs must not be communicated to anyone who is not a Bugcrowd employee or an authorized employee of the organization responsible for the program.
If there is ever conflict between the disclosure terms listed on a Program’s brief and the Bugcrowd Standard Disclosure Terms, the Program Brief supersedes Bugcrowd's terms. Please contact email@example.com if you have any questions.
We encourage Researchers to include a video or screenshot Proof-of-Concept in their submissions. These files should not be shared publicly. This includes uploading to any publicly accessible websites (i.e. YouTube, Imgur, etc.). If the file exceeds 100MB, upload the file to a secure online service such as Vimeo, with a password. For more details, please refer to our Reporting a Bug documentation.