Bugbop with spider-like logo

Program Management

Learn how to effectively manage your bug bounty program with Bugbop

← Back to Documentation
Related Pages

Program Setup

Setting up a successful bug bounty program requires careful planning and clear communication. This section covers the essential steps to configure your Bugbop program effectively.

Creating Your Program

To create a new program in Bugbop:

  1. Navigate to the "My Programs" section in the main navigation
  2. Click the "Create New Program" button
  3. Fill in the required information:
    • Program Name: Your organization or product name
    • Description: A detailed explanation of your program
    • Program URL: The main website for your product or service
    • Program Logo: Upload a high-quality logo (recommended size: 400x400px)
  4. Click "Create Program" to complete the initial setup
Important: Once created, your program will be set to "Private" by default. You'll need to configure your program fully before changing the visibility to allow researchers to join.

Access Agreement Requirements

Programs with Restricted visibility require an access agreement that researchers must accept before joining:

  • The access agreement is automatically required when the program has restricted visibility
  • A default template is provided that includes your program's site URL
  • You can customize the agreement text to suit your program's specific requirements

Visibility Options

Bugbop offers multiple visibility options to control who can see and participate in your program:

Visibility Who Can See Who Can Join Best For
Private Only invited users Only invited users Initial setup, sensitive programs, targeted testing
Restricted All authenticated users Users who request access and are approved Controlled growth, vetted researcher access
Public All authenticated users All authenticated users Maximum coverage, established programs
Closed Only invited users Existing members but Bug Reports cannot be submitted Temporary pauses, program restructuring

To change your program's visibility:

  1. Navigate to your program settings
  2. Find the "Visibility" section
  3. Select the appropriate visibility option
  4. Configure any additional settings (e.g., access agreement for restricted programs)
  5. Save your changes

Scope Management

A well-defined scope helps researchers understand what they can test and what vulnerabilities you're interested in. Clear scope definitions lead to higher quality reports and fewer out-of-scope submissions.

Defining In-Scope Assets

To define your scope:

  1. Go to your program settings
  2. Select the "Scope" tab
  3. Add assets to your in-scope list:
    • Domains: Specify web domains to test (e.g., example.com, *.example.com)
    • Mobile Apps: Include links to your mobile applications
    • API Endpoints: List API endpoints that can be tested
    • Other Assets: Any other testable systems or components
  4. For each asset, specify:
    • Impact level (Critical, High, Medium, Low)
    • Specific testing instructions if applicable
  5. Save your changes

Out-of-Scope Rules

Clearly communicate what researchers should NOT test:

  • Protected Systems: Production databases, internal networks, etc.
  • Forbidden Techniques: DoS attacks, physical security testing, social engineering
  • Third-Party Services: Services not directly under your control
  • Known Issues: Vulnerabilities you're already aware of
Pro Tip: Periodically review and update your scope as your systems evolve. Add new assets and remove deprecated ones to keep your program current.

Team Management

Building an effective team to manage your bug bounty program is essential for success. Bugbop provides role-based access to help you delegate responsibilities appropriately.

Available Roles

  • Owner: Full administrative access, cannot be removed
  • Admin: Full access to program settings and reports
  • Triager: Can process and respond to reports, cannot change program settings
  • Viewer: Read-only access to reports and program information

Adding Team Members

To invite colleagues to your program team:

  1. Navigate to your program settings
  2. Select "Team Members"
  3. Click "Invite Team Member"
  4. Enter their email address
  5. Select the appropriate role
  6. Add a personalized message (optional)
  7. Click "Send Invitation"

The invited user will receive an email with instructions to join your program team.

Researcher Management

Building relationships with security researchers is key to a successful bug bounty program. Bugbop provides tools to help you manage your researcher community effectively.

Inviting Researchers

For private or restricted programs, you can directly invite researchers:

  1. Go to your program dashboard
  2. Select "Bug Hunters"
  3. Click "Invite Researcher"
  4. Enter their email address or Bugbop username
  5. Add a personalized invitation message
  6. Send the invitation

Managing Access Requests

For both restricted and invite-only programs, you'll need to review access requests:

  1. Navigate to "Bug Hunters" in your program dashboard
  2. Select the "Access Requests" tab for restricted programs or "Invite Requests" tab for invite-only programs
  3. Review each request, including:
    • Researcher profile and history
    • Their reason for requesting access
    • Any relevant skills or experience
  4. Approve or reject each request
  5. Provide feedback for rejected requests (optional but recommended)

Bounty Structure

A clear and fair bounty structure helps attract and retain skilled researchers. Bugbop allows flexible bounty configurations to match your budget and priorities.

Setting Bounty Ranges

To configure your bounty structure:

  1. Go to your program settings
  2. Select the "Bounties" tab
  3. Set bounty ranges for each severity level:
    • Critical: Highest impact vulnerabilities (e.g., $1,500 - $5,000)
    • High: Significant security issues (e.g., $500 - $1,500)
    • Medium: Moderate risk vulnerabilities (e.g., $100 - $500)
    • Low: Minor security concerns (e.g., $50 - $100)
  4. Save your changes

Budget Management

Bugbop's dynamic budget management system helps you control bounty expenditures and prevent budget overruns:

  • Budget Periods: Set monthly or yearly budget cycles that automatically reset
  • Dynamic Report Limits: System automatically calculates how many open reports your budget can support
  • Automatic Pausing: Bounties pause when budget limits are reached or when too many reports are open
  • Smart Notifications: Staff receive alerts 3 days before budget resets

Pro Tip: For more details on budget management, see our Bounty Budgeting documentation.

Awarding Bounties

When awarding bounties for valid reports:

  1. Navigate to the report in your dashboard
  2. Review the impact and quality
  3. Click "Award Bounty"
  4. Enter the bounty amount
  5. Add a note explaining your decision (recommended)
  6. Confirm the payment

Non-Monetary Rewards

If you can't offer monetary bounties, consider alternative incentives:

  • Public Recognition: Hall of fame, researcher spotlights
  • Points/Reputation: Status within your program community
  • Swag: Merchandise, gift cards, or company products
  • References: Professional references for researchers
  • Special Access: Early access to new features or products

Metrics & Analytics

Bugbop provides comprehensive analytics to help you measure the effectiveness of your program and identify areas for improvement.

Key Performance Indicators

Monitor these essential metrics:

  • Report Volume: Total number of reports received
  • Valid Report Rate: Percentage of valid vs. invalid reports
  • Average Time to Triage: How quickly your team assesses new reports
  • Average Time to Resolution: How long it takes to fix reported issues
  • Researcher Satisfaction: Feedback from your participating researchers
  • Bounty Expenditure: Total amount paid in bounties
  • Return on Investment: Value of prevented security incidents vs. program costs

Generating Reports

To access analytics and generate reports:

  1. Navigate to your program dashboard
  2. Select the "Analytics" tab
  3. Choose the date range you want to analyze
  4. View the automatically generated charts and data
  5. Export reports to PDF or CSV for stakeholders

Best Practices

Based on successful bug bounty programs, here are recommended best practices:

Communication

  • Be responsive: Aim to acknowledge new reports within 24-48 hours
  • Provide regular updates: Keep researchers informed about the status of their reports
  • Be transparent: Clearly explain your decisions, especially for rejected reports
  • Use templates: Create response templates for common scenarios to ensure consistency

Program Management

  • Start small: Begin with a limited scope and expand gradually
  • Define clear rules: Set explicit expectations about testing methods and scope
  • Provide testing resources: When possible, offer sandbox environments
  • Conduct regular reviews: Periodically assess and update your program settings
  • Be adaptable: Adjust your scope, rewards, and processes based on feedback and results

Building Researcher Relationships

  • Show appreciation: Thank researchers for valid reports, even if the impact is low
  • Provide constructive feedback: Help researchers improve their reports
  • Recognize top contributors: Highlight your most valuable researchers
  • Consider bonus rewards: Offer additional compensation for exceptional reports
  • Solicit feedback: Ask researchers how you can improve your program
Success Strategy: The most successful bug bounty programs view researchers as partners, not vendors. Building strong relationships with your researcher community leads to higher quality reports and more effective vulnerability discovery.