Skip to content

Enterprise

Getting started

Welcome to Safehats bug bounty program. This is a unique opportunity for enterprises to reach out and avail services of hundreds of talented security researchers. This documentation will serve as a guide for enterprises and provide information on features of the platform as well as how to effectively manage a bug bounty program.

Preparing Your Organization

All associated staff that might be affected by the program must be explained about the program objectives in detail. The developer team must be ready to resolve bugs as soon as they are reported. The members of the organization must be prepared well in advance for any disruption that might occur in the duration of the testing. Test environment must be created with dummy data to protect sensitive information.

Program

Types of Programs

Safehats offers three different kinds of program depending upon the security maturity of the enterprise.

  • Walk (Enterprise): - In this program the application gets tested by trusted researchers curated by safehats. Initial testing of the app finds most vulnerabilities and gives developers the opportunity to rectify them.
  • Run (Private Managed): -This is a managed vulnerability disclosure program involving selected high quantity hackers in a time bound manner. Only selected hackers are invited to participate. This gives the enterprise the opportunity to get their application tested by researchers with varied expertise and skill sets.
  • Fly (Public): - For security mature organizations that want best in class security assessment for their application by exposing it to a universal pool of security researchers.

Program Policy

This clearly defines the guidelines that must be followed during the course of the program and is created with the intention of resolving any ambiguity that might arise during the course of the program. This is to help guide the hacker’s efforts into what needs attention and what not. This scope of the program should clearly i.e., which product, what properties and what types of vulnerability are to be discovered and more specifically what all are excluded is to be clearly mentioned in the program policy. The program policy also clearly establishes protocol for communication between the program owner and the researchers. The program owners must understand that they are not to initiate any legal action against a security researcher as long as his/her actions are within the policies mentioned in the program.

The standards mentioned in the policy should strictly be followed while disclosing a bug. The detailed guidelines that are to be adhered to while reporting a bug are mentioned in the next section. Under no circumstances should the information about a bug be made public, until prior approval from the organizer is obtained.

Code of Conduct

The enterprises organising bug bounty program must abide by the following: - Take security as utmost priority and act upon reported vulnerabilities to mitigate them at the earliest. - Reward the findings and incentivize hackers to keep up the good work. - Provide due public recognition to hackers wherever applicable. - Should not threaten or take unnecessary punitive action against researchers or initiate unreasonable legal actions against researchers.

Owner Startup Guide

Now that you are familiar with the bug bounty program, it’s time to create and manage your account.

Signup as Enterprise

Just register on our website, complete your profile and you are good to go. Follow these simple steps:

  • Go to https://safehats.com and SIGNUP as an Enterprise.
  • Fill in the required details and signup.
  • A verification mail will be sent to the registered Email id. Click on the link to verify your account.
  • You will be directed to the home page. Click on Login. Sign into your account by entering your credentials.
  • You will now be directed into your account. Congratulations! Your company profile is now created.

Create or Updating Program

A Program needs to be created after the creation of the company profile. Follow these steps to create and update the program:

  • Click on the update program button on the top navigation bar. You will be directed to the “Create Platform” page.
  • Update the required info and select the type of program you want to run and then Click Next.
  • You will be guided to the “policy and scope” page. Define the program policy and scope as per your requirements and click next.
  • Define the reward that your company is willing to offer.
  • Invite hackers as per your requirement. Safehats offers you customised filtering options.
  • Click on next and you are done. Your Program Creation request would be sent to “Safehats Mission Control (SMO)” for approval.

Enter the Policy and Scope

Add Guidelines for Researchers for Report submission.

Predefined Templates for Web Application, Mobile Application and Server Application.

Customizable Templates

Add the Rewards and Swags

Inviting Members

Once your program is created you can loop in other members and assign them role according to requirement. You can invite other members by:

  • Go into the profile section of your website.
  • Go to Team Management. Click on the Invite Users Button.
  • Enter the Email Id of the concerned person and assign him into a group based upon the access he is to be granted.
  • The User will get a mail to accept the invite and join the program.

Defining Roles

The admin can divide the users into groups based upon the level of control that is to be given, depending upon the users function. Groups can be created in the “Group Management” section of the profile.

  • Click on “Add Group” button.
  • Fill in the Group Name and Access Control.
  • Click on Update.

Group Management

Adding/Removing New Team members can only be performed by someone with admin Access.

The below Role Permission available for selection: -

  • Default (Read Only)
  • Report
  • Program
  • Reward
  • Admin

Customize Email Template

Enterprise has an option to customize email templates for various events, like - New Signup - Member Invitations - Password Reset Request - Password Change Success - Report Submission

Once you click one of the email templates, it will preload the default template for modification. You can also reset the changes back to default templates.

Sections Of Your Account

Dashboard

The initial page post sign up, here the admin can monitor all activities going on in the platform. This contains aggregate information on all programs running, bugs reported & bounty paid.

SMO Dashboard

The SMO also has Dashboard and Analytics.

Programs

It contains general information about all running programs and provides admin control to enable or disable any program. By clicking on any program, detailed information about the program can be obtained.

All Researchers can collaborate on the reports submitted as part of the program. The Researchers can view other researcher submitted reports for the program and can collaborate on reports by sharing more findings and information with each other and sharing screen prints, videos and links, adding comments and clarifications.

Researchers can also have adoption to select the Visibility to all Participants or to selected Members. The added comments by the researcher will be added in the report with Researcher & Timelines Details.

Commenter and Enterprise both also have an option to delete the comments.

Profile

Here you can manage your personal account as well as the program, depending upon the access level you have.

Hacker

This contains general information about all registered hackers. The admin can add and remove verified hackers from here. Clicking on any hacker section gives access to the detailed profile of the hackers.

Enterprise can see the Researcher’s Credibility and the Performance like Bugs Resolved, Bounty Rewarded and Swag Received.

Reports

All submitted reports can be viewed from here. The user can then validate the authenticity of the report and decide if the submission is eligible for bounty. The Reports are labeled as below :

  • New Reports
  • Triage
  • Duplicate
  • Resolved Reports
  • Closed Reports
  • Spammed Reports

The reports can be filter based in the Labels and can do search operation on the reports by Status, Report ID, Report Title and Researcher username.

Enterprises can view the reports option to download or export Reports in Various Formats like CSV, JSON and XML.

Enterprise can review the report Submitted by Security Researcher and have the ability to review & validate Vulnerability Reports. Enterprise can Prioritize, Change Status i.e. Not Applicable, Duplicate, Spam, Resolve and Informative, and can add comment , triage and close the report.

General Settings

Enterprise can update general settings like Logos, Colors, Name, Websites, Social Media Accounts to customize the branding.

User Startup Guide

Now that you are familiar with the interface it’s time to get started on customizing and managing your account.

Understanding Roles and Responsibilities

Updating your profile is easy. Just click on the edit icon on the top left section of your profile. You will be directed to edit profile page. Here u can enter required information and update your profile.

Managing Submissions

All member invited to be a part of the bug bounty program has access to reports submitted. For better management of submitted reports all involved members could be broken into teams for validating and editing reports, dispersing rewards, managing teams, rectifying the reported bugs. - Next, depending upon the role assigned, permission may vary. - All submitted bugs must be validated by the internal triage team. - Following validation of submitted reports the Rewards team must assign and pay the bounty to the concerned hacker. - The admin is responsible for inviting new members.

Editing Personal Information

The user can make changes to his account in the profile section of the account. The following steps need to be followed to change personal information: - Go to the Profile section of user account. - Select the Profile Update option. - Enter any update if required and click on Update.

Changing Password

Select your preference regarding what kind of bounty programs you want to be a part of, in the `Invitation preferences’ option of ‘Profile Settings’ panel. Select and update your preference on the following page.

Integration

Single Sign On (SSO)

SSO is an authentication service that allows a user to use single login to access multiple applications. SSO uses Security Assertion Markup language (SAML) for exchanging authentication between the applications.

This feature is available only in the Safehats Enterprise Edition.

SAML

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between two parties i.e., Service Provider (SP) and Identity Provider (IdP).

Service Provider agrees to trust the Identity Provider for authenticating the user. Identity Provider generates authenticating assertion for the user and communicate that with Service Provider. The most important use case that SAML addresses is web browsers single sign-on (SSO). Single sign-on can be established between different domains.

How SSO works?

SSO involves three parties: - User - Service Provider (Ex: Safehats) - Identity Provider (Ex: OneLogin, Google etc.,)

SSO Workflow:

  • User requests a service from the Service Provider.
  • Service Provider requests authentication assertion from the Identity Provider.
  • Based on the assertion, Service Provider makes decision to the user’s request.

How to enable SSO

  • Decide your IdP: Identity Provider is the one who authenticates and authorizes user to perform an action. It can be

    • Third party vendor (Ex: Google, OneLogin)
    • Your own application

  • Just write to safehats@instasafe.com with the following information

    • Login URL
    • Logout URL
    • Password reset URL
    • X.509 certificate
    • Encryption algorithm (Ex: RSA, SHA1)

API

The Safehats API can be used by Enterprise to integrate and communicate with Safehats application. Enterprise can create the API from the Application. Once the API is created, Enterprise gets API Details.

  • API User
  • API Password
  • API Header

Enterprise can manage API like creating and deleting API from the API option in Enterprise Logon.

The below API are available: -

  • Pull Vulnerability Reports Pull all of your program's vulnerability reports into your own systems to automate your workflows.

  • Access your program information Manage your program settings and access your current balance and recent transactions.

  • Award a bounty Award bounties to hackers who have reported a vulnerability. You can also reward hackers for vulnerabilities found outside of Safehats using the program bounty endpoint.

  • Import external findings Use the Reports API to import findings for external systems or pentests into Safehats to improve duplicate detection and reporting.

Detailed API documentation will be provided on request. Please reach out to safehats@instasafe.com for API Documentation.

This feature is available only in the Safehats Enterprise Edition.

Other Integration

Vulnerability Scanner, Ticketing & SIEM

Enterprise can integrate multiple third-party software and solutions. The configuration options are available for Integration with Ticket Management, Vulnerability Scanner and SIEM Software.

  • Ticket Management Softwares
  • Vulnerability Scanner
  • Security Information & Event Management (SIEM)

This feature is available only in the Safehats Enterprise Edition.

Please reach out to safehats@instasafe.com for any such Integration or any customization for integration.

Safehats Vulnerability Scanner (SVS)

Safehats Vulnerability Scanner (SVS) is a Vulnerability Detection Software which have scanning capabilities for Web applications with below capabilities: -

  • Scanning Capabilities : Safehats Vulnerability Scanner (SVS) scan your software applications to identify known vulnerabilities. They use a database of known vulnerabilities and security issues to compare against your system's configuration.

  • Types of Scans: Safehats Vulnerability Scanner (SVS) performs different types of scans, of web application scans to find web-related vulnerabilities like SQL injection or cross-site scripting.

  • Regular Scanning: Safehats Vulnerability Scanner (SVS) can be scheduled automated scanning periodically to keep up with the evolving threat landscape.

  • Reporting: Safehats Vulnerability Scanner (SVS) provides comprehensive reports highlighting the vulnerabilities discovered. These reports often include severity levels, descriptions, and recommendations for remediation.

Safehats Vulnerability Scanner (SVS) Architecture

The Safehats Vulnerability Scanner (SVS) can be used to scan the below:-

  • WhoIs
  • IP Enrichment (Shodan API / Port Scanner)
  • CMS Scanner
  • SSL Scanner
  • Sub Domain Enumeration
  • Web Application Security Testing

Administration Option of the Scanner

This feature is available only in the Safehats Enterprise Edition

Payment

The Safehats mission control manages all payments to hackers. We are currently in the process of integrating payment gateways and Paytm wallets. Until then all payments will be made directly into the back accounts of the hackers, upon approval from corporate admins.

Support

Enterprise can reach to Safehats team from “Support” Option.

Email Support

Enterprise can send email directly to safehats@instasafe.com

Telephone Support

Research can reach out to helpdesk number +91-844-844-8548 Ext: 86

Chat Support

Note : The Support details are customizable and add have client specific details. The support Customization is only available in Enterprise Edition.