Bugcrowd believes that public disclosure of vulnerabilities is a healthy and important part of the vulnerability disclosure process, and encourages vendors and researchers to work together to share information in a coordinated and mutually agreed upon manner. As each vendor will take their own position on the disclosure of vulnerabilities reported through their bounty program, this document is intended to explain Disclosure options at Bugcrowd to both customers and Crowd members.
The following Disclosure policies apply to all submissions made through the Bugcrowd platform, including Duplicates, Out of Scope, and Not Applicable submissions. If a researcher wants to retain disclosure rights for vulnerabilities that are out of scope for a bounty program, they should report the issue to the vendor directly. Bugcrowd can assist researchers in identifying the appropriate email address to contact. Customers are encouraged to ensure their program scope includes all critical components they wish to receive vulnerability reports for.
Just as secure development practices are designed to have systems fail closed, Bugcrowd's default submission disclosure state is nondisclosure. This is documented in our Standard Disclosure Terms and Researcher Code of Conduct. This means no submissions may be publicly disclosed at any time, and is designated by the following text in the program bounty brief:
When a new Bounty Program is being on-boarded, the customer is encouraged to consider setting their disclosure position to allow researchers to publish their work after the vulnerability has been fixed. While these customers are open to public disclosure of vulnerabilities, they still require explicit permission to disclose in the submission record. Again, this applies to all submissions to the program regardless of validity.
On occasion, Bugcrowd customers customize their disclosure requirements in their bounty brief. An example of that is Tesla, which states:
The existence or details of private or invitation-only programs must not be communicated to anyone who is not a Bugcrowd employee or an authorized employee of the organisation responsible for the program.
If there is ever conflict between a Program Brief and the Bugcrowd Standard Disclosure Terms, the customer's Program Brief supersedes Bugcrowd's Standard Disclosure Terms. Please contact firstname.lastname@example.org if you have any questions.
We encourage researchers to include a video or screenshot Proof-of-Concept in their submissions. These files should not be uploaded to a publicly accessible website (i.e. Vimeo, Imgur, etc.) as the Bugcrowd platform supports video and image uploads up to 20MB. For full upload parameters, visit Reporting a Bug.