Bugbop with spider-like logo

Automated Security Scanners

Learn about automated security scanners and managing their reports

← Back to Documentation
Related Pages

Automated Security Scanners

Overview

Bugbop's automated security scanners periodically check your domains for common security misconfigurations and raise them as Bug Reports. These Reports can be useful to catch security issues but they also assist in handling duplicate reports from researchers submitting the same basic security issues repeatedly.

Table of automated bug reports submitted by 'Bugbot' for example.org. All three reports have a 'Won’t Fix' status, 'Low' severity, and no bounty awarded. The reports include: 'Missing Content Security Policy (CSP) Header', 'Missing Anti-Clickjacking Headers', and 'Missing Certificate Authority Authorization (CAA) Record'. One additional row is labeled 'Example Bug Report' with status 'N/A'.
Automated findings from Bugbot highlighting common missing or misconfigured security controls.

Available Scanners

Scanner Checks For Type Frequency
Example Scanner Creates an Example bug to demonstrate the workflow of Bugbop Special Once
Clickjacking Scanner Checks for headers to ensure clickjacking protection HTTP Header Daily
CSP Scanner Missing Content-Security-Policy HTTP header HTTP Header Daily
DMARC Scanner Missing DMARC DNS TXT record DNS Record Hourly
CAA Scanner Missing Certificate Authority Authorization DNS records DNS Record Hourly
Loose SPF Scanner Overly permissive SPF configuration DNS Record Hourly
Note: New scanners will be added over time. We check your Program's Site and Description to find assets to scan (E.g. URLs, domains, subdomains, IPs)

Managing Scanner Reports

Handling Scanner Reports

Automated reports are created by Bugbot and have standardized titles. To handle them:

  1. Review the report and consider if you want the issue fixed
  2. If you want it fixed: Implement the fix, then close as "Fixed". The scanner will re-open the bug if it happens again.
  3. If you don't want it fixed: Close as "Won't Fix" or "Not Applicable" and the scanner will stop checking.

Duplicate Handling

Once you close a scanner report, duplicate submissions from researchers will automatically be detected by Bugbot's AI triage

Re-checking

If you close a report as "Fixed" but the scanner later detects the issue is still present, it will automatically change the status back to "Open" and add a comment to notify you.

Enabling/Disabling Scanners

You can enable or disable the Bugbot scanner when Editing Program's settings (View Program -> Settings -> Edit). This will turn off all scans - new reports will not be raised and old reports will not be rechecked.

Toggle switch for 'Automated Bug Reports' with the description: 'Bugbop's Bugbot will scan your in-scope assets for vulnerabilities and raise Bug Reports'. The toggle is currently turned on.
Toggle switch for turning on/off automated scans in Program settings