EnterpriseDocs

Preparing Your Organisation

All associated staff that might be affected by the program must be explained about the program objectives in detail.The developer team must be ready to resolve bug as soon as they are reported.The members of the organisation must be prepared well in advance for any disruption that might occur in the duration of the testing. Test enviroment must be created with dummy data to protect sensitive information.

Types Of Program

Safehats offers three different kind of program depending upon security maturity of the enterprise

• Walk(Enterprise):-.In this program the application gets tested by trusted researchers curated by safehats.Initial testing of the app finds most of vulnerabilities and gives developers opportunity to rectify them.

• Run(Private Managed):-This is a managed vulnerability disclosure program involving selected high quantity hackers in a time bound manner.Only selected hackers are invited to participate.This give the enterprise opportunity to get their application tested by researchers with varied expertise and skill set.

• Fly(Public):- For security mature organisation that want best in class security assessment for their application by exposing it to universal pool of security researchers.

Program Policy

This clearly defines the guidelines that must be followed during the course of the program and is created with the intention of resolving any ambiguity that might arise during the course of the program.This is to help guide the hackers efforts into what needs attention and what not. This scope of the program should clearly i.e which product, what properties and what types of vulnerability are to be discovered and more specifically what all are excluded is to be clearly mentioned in the program policy. The program policy also clearly establishes protocol for communication between the program owner and the researchers. The program owners must understand that they are not to initiate any legal action against a security researcher as long as his/her actions are within the policies mentioned in the program.

The standards mentioned in the policy should strictly be followed while disclosing a bug.The details guidelines that are to be adhered while reporting a bug are mentioned in the next section Under no circumstances should information about a bug be made public,until prior approval from the organiser is obtained.

Code Of Conduct

The enterprises organising bug bounty program must abide by the following

1. Take security as utmost priority and act upon reported vulnerabilities to mitigate them at the earliest.
2. Reward the findings and incentivize hackers to keep up the good work.
3. Provide due public recognition to hackers wherever applicable.
4. Should not threaten or take unnecessary punitive action against researchers, or initiate unreasonable legal actions against researchers.

Creating A Program

Just register on our website, complete your profile and you are good to go.. Just follow these simple steps.

1. Go to https://safehats.com and SIGNUP as an Enterprise.
2. Fill in the required details and signup.
3. A verification mail will be sent to the registered Email id. Click on the link to verify your account
4. You will be directed to the home page. Click on Login. Sign into your account by entering your credentials
5. You will now be directed into your account. Congratulations your company profile is now created.

Updating A Program

A Program needs to be created after the creation of the company profile.Follow these steps to create and update the program :-

1. Click on the update program button on the top navigation bar. You will be directed to the “Create Platform” page.
2. Update the required info and select the type of program you want to run and then Click Next.
3. You will be guided to the “policy and scope” page.Define the program policy and scope as per your requirements and click next..
4. Define reward that your company is willing to offer.
5. Invite hackers as per your requirement.Safehats offers you customised filtering options.
6. Click on next and you are done. Your Program Creation request would be sent to “Safehats Mission Control” for approval.

Inviting Members

Once your program is created you can loop in other members and assign them role according to requirement.You can invite other members by:-

1. Go in to the profile section of your website.
2. Go to Team Management.Click on Invite Users Button.
3. Enter the Email Id of the concerned person and assign him into a group based upon the access he is to be granted.
4. The User will get a mail to accept the invite and join the program.

Defining Roles

The admin can divide the users into group based upon the level of control that is to be given,depending upon the users function. Groups can be created in the “Group Management” section of the profile.

1. Click on “Add Group” button.
2. Fill in the the Group Name and Access Control.
3. Click on Update.

Group Mangement

Adding/Removing New Team members.Can Only be only performed by someone with admin Access.

Understanding Roles and Responsibilities

Updating your profile is easy. Just click on the edit icon on the top left section of your profile. You will be directed to edit profile page. Here u can enter required information and update your profile.

Managing Submissions

All member invited to be a part of the bug bounty program has access to reports submitted.For better management of submitted reports all involved members could be broken in to teams for validating and editing reports,dispersing rewards,managing teams, rectifying the reported bugs.

.
• Next depending upon the role assigned ,permission may vary.
• All submitted bugs must be validated by the internal triage team.
• Followng validation of submitted reports the Rewards team must assign and pay the bounty to the concerened hacker
• The admin is responsible for inviting new members

Editing Personal Information

The user can make changes to his account in the profile section of the account.The following steps need to be followed to change personal information:-

1. Go to the Profile section of user account.
2. Select the Profile Update option.
3. Enter any update if required and click on Update.

Changing Password

1. Select your preference regarding what kind of bounty programs you want to be a part of, in the `Invitation preferences’ option of ‘ Profile Settings’ panel. Select and update your preference in the following page.