Skip to content

Enterprise

Getting started

Welcome to Safehats bug bounty program. This is a unique opportunity for enterprises to reach out and avail services of hundreds of talented security researchers. This documentation will serve as a guide for enterprises and provide information on features of the platform as well as how to effectively manage a bug bounty program.

Preparing Your Organization

All associated staff that might be affected by the program must be explained about the program objectives in detail. The developer team must be ready to resolve bugs as soon as they are reported. The members of the organization must be prepared well in advance for any disruption that might occur in the duration of the testing. Test environment must be created with dummy data to protect sensitive information.

Program

Types of Programs

Safehats offers three different kinds of program depending upon the security maturity of the enterprise.

  • Walk (Enterprise): - In this program the application gets tested by trusted researchers curated by safehats. Initial testing of the app finds most vulnerabilities and gives developers the opportunity to rectify them.
  • Run (Private Managed): -This is a managed vulnerability disclosure program involving selected high quantity hackers in a time bound manner. Only selected hackers are invited to participate. This gives the enterprise the opportunity to get their application tested by researchers with varied expertise and skill sets.
  • Fly (Public): - For security mature organizations that want best in class security assessment for their application by exposing it to a universal pool of security researchers.

Program Policy

This clearly defines the guidelines that must be followed during the course of the program and is created with the intention of resolving any ambiguity that might arise during the course of the program. This is to help guide the hacker’s efforts into what needs attention and what not. This scope of the program should clearly i.e., which product, what properties and what types of vulnerability are to be discovered and more specifically what all are excluded is to be clearly mentioned in the program policy. The program policy also clearly establishes protocol for communication between the program owner and the researchers. The program owners must understand that they are not to initiate any legal action against a security researcher as long as his/her actions are within the policies mentioned in the program.

The standards mentioned in the policy should strictly be followed while disclosing a bug. The detailed guidelines that are to be adhered to while reporting a bug are mentioned in the next section. Under no circumstances should the information about a bug be made public, until prior approval from the organizer is obtained.

Code of Conduct

The enterprises organising bug bounty program must abide by the following: - Take security as utmost priority and act upon reported vulnerabilities to mitigate them at the earliest. - Reward the findings and incentivize hackers to keep up the good work. - Provide due public recognition to hackers wherever applicable. - Should not threaten or take unnecessary punitive action against researchers or initiate unreasonable legal actions against researchers.

Owner Startup Guide

Now that you are familiar with the bug bounty program, it’s time to create and manage your account.

Signup as Enterprise

Just register on our website, complete your profile and you are good to go. Follow these simple steps:

  • Go to https://safehats.com and SIGNUP as an Enterprise.
  • Fill in the required details and signup.
  • A verification mail will be sent to the registered Email id. Click on the link to verify your account.
  • You will be directed to the home page. Click on Login. Sign into your account by entering your credentials.
  • You will now be directed into your account. Congratulations! Your company profile is now created.

Create or Updating Program

A Program needs to be created after the creation of the company profile. Follow these steps to create and update the program:

  • Click on the update program button on the top navigation bar. You will be directed to the “Create Platform” page.
  • Update the required info and select the type of program you want to run and then Click Next.
  • You will be guided to the “policy and scope” page. Define the program policy and scope as per your requirements and click next.
  • Define the reward that your company is willing to offer.
  • Invite hackers as per your requirement. Safehats offers you customised filtering options.
  • Click on next and you are done. Your Program Creation request would be sent to “Safehats Mission Control (SMO)” for approval.

Inviting Members

Once your program is created you can loop in other members and assign them role according to requirement. You can invite other members by:

  • Go into the profile section of your website.
  • Go to Team Management. Click on the Invite Users Button.
  • Enter the Email Id of the concerned person and assign him into a group based upon the access he is to be granted.
  • The User will get a mail to accept the invite and join the program.

Defining Roles

The admin can divide the users into groups based upon the level of control that is to be given, depending upon the users function. Groups can be created in the “Group Management” section of the profile.

  • Click on “Add Group” button.
  • Fill in the Group Name and Access Control.
  • Click on Update.

Group Management

Adding/Removing New Team members can only be performed by someone with admin Access.

The below Role Permission available for selection: -

  • Default (Read Only)
  • Report
  • Program
  • Reward
  • Admin

Sections Of Your Account

Dashboard

The initial page post sign up, here the admin can monitor all activities going on in the platform. This contains aggregate information on all programs running, bugs reported & bounty paid.

Programs

It contains general information about all running programs and provides admin control to enable or disable any program. By clicking on any program, detailed information about the program can be obtained.

Profile

Here you can manage your personal account as well as the program, depending upon the access level you have.

Hacker

This contains general information about all registered hackers. The admin can add and remove verified hackers from here. Clicking on any hacker section gives access to the detailed profile of the hackers.

Reports

All submitted reports can be viewed from here. The user can then validate the authenticity of the report and decide if the submission is eligible for bounty.

User Startup Guide

Now that you are familiar with the interface it’s time to get started on customizing and managing your account.

Understanding Roles and Responsibilities

Updating your profile is easy. Just click on the edit icon on the top left section of your profile. You will be directed to edit profile page. Here u can enter required information and update your profile.

Managing Submissions

All member invited to be a part of the bug bounty program has access to reports submitted. For better management of submitted reports all involved members could be broken into teams for validating and editing reports, dispersing rewards, managing teams, rectifying the reported bugs. - Next, depending upon the role assigned, permission may vary. - All submitted bugs must be validated by the internal triage team. - Following validation of submitted reports the Rewards team must assign and pay the bounty to the concerned hacker. - The admin is responsible for inviting new members.

Editing Personal Information

The user can make changes to his account in the profile section of the account. The following steps need to be followed to change personal information: - Go to the Profile section of user account. - Select the Profile Update option. - Enter any update if required and click on Update.

Changing Password

Select your preference regarding what kind of bounty programs you want to be a part of, in the `Invitation preferences’ option of ‘Profile Settings’ panel. Select and update your preference on the following page.

Payment

The Safehats mission control manages all payments to hackers. We are currently in the process of integrating payment gateways and Paytm wallets. Until then all payments will be made directly into the back accounts of the hackers, upon approval from corporate admins.

Support

Enterprise can reach to Safehats team from “Support” Option.

Email Support

Enterprise can send email directly to safehats@instasafe.com

Telephone Support

Research can reach out to helpdesk number +91-844-844-8548 Ext: 86

Chat Support