Researcher Documentation

Welcome to the researcherdocs developer hub. You'll find comprehensive guides and documentation to help you start working with researcherdocs as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started

Public Disclosure Policy

Vulnerability Disclosure at Bugcrowd

Bugcrowd believes that the coordinated, orderly, public disclosure of vulnerabilities is a healthy and important part of the vulnerability disclosure process. The following Disclosure policies apply to all submissions made through the Bugcrowd platform (including New, Triaged, Unresolved, Resolved, Duplicates, Out of Scope, Not Applicable and Won’t Fix submissions). We encourage Program Owners and researchers to work together to share information in a mutually agreed upon manner. This section explains Disclosure options at Bugcrowd to both Program Owners and Crowd members.

Additional Resources:

Coordinated Disclosure

Coordinated Disclosure is the default recommended policy for all new public programs, and is strongly recommended but optional for ongoing private bounty programs. Under this model, Program Owners commit to allowing researchers to publish mutually agreed on information about the vulnerability after it has been fixed. Program Owners still require explicit permission to disclose in the submission record. This applies to all submissions to the program, regardless of validity or acceptance.

Under the principle of Bugcrowd's Coordinated Disclosure, researchers are able to externally disclose limited or full disclosures approved by Program Owners.

Bugcrowd's Coordinated Disclosure allows for Program Owners and Researchers to work through the disclosure process, during which, all parties must agree upon a date and the level of disclosure (limited or full) for a vulnerability or exploit to be disclosed. Once the vulnerability or exploit is disclosed on Bugcrowd's platform, the Researcher can disclose the vulnerability or exploit publicly as long as it adheres to the agreed-upon type of disclosure - limited or full, and any other parameters agreed upon for the disclosure.

Nondisclosure

Nondisclosure is the default policy for OnDemand and continuous Next Generation Penetration Testing and is common in private bounty programs. In the absence of a Coordinated or Custom Disclosure policy (or in the case of any ambiguity) the expectation of the researcher and the Program Owner is nondisclosure. This is documented in our Standard Disclosure Terms and Researcher Code of Conduct. **This means no submissions may be publicly disclosed at any time and is designated by the following text in the program bounty brief:

Custom Disclosure

On occasion, Bugcrowd customers customize disclosure requirements in their bounty brief. An example of that is Tesla, which states:

Program Disclosure

The existence or details of private programs must not be communicated to anyone who is not a Bugcrowd employee or an authorized employee of the organization responsible for the program.

If there is ever conflict between the disclosure terms listed on a Program’s brief and the Bugcrowd Standard Disclosure Terms, the Program Brief supersedes Bugcrowd's terms. Please contact support@bugcrowd.com if you have any questions.

Accidental Disclosure: Insecure POC video sharing

We encourage Researchers to include a video or screenshot Proof-of-Concept in their submissions. These files should not be shared publicly. This includes uploading to any publicly accessible websites (i.e. YouTube, Imgur, etc.). If the file exceeds 100MB, upload the file to a secure online service such as Vimeo, with a password. For more details, please refer to our Reporting a Bug documentation.

Updated 2 months ago

Public Disclosure Policy


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.