A quick guide to setting up a program on CyScope’s bug bounty platform

If you’ve considered implementing a bug bounty program for your business but feel uncertain about the complexity of the setup process, this post will easily showcase a quick setup guide to get your programs up and running in no time.

The CyScope platform is remarkably user-friendly. Our development team worked hard (and continues to do so!) to make sure our program setup process was as simple and straightforward as possible, readily available for businesses no matter their size, industry, or their level of security expertise.

Our program setup process involves five steps: configuration, definition of privacy, degree of autonomy, execution, and reporting.

1. Configuration of your program
   Within your company page, your will need to specify:
   • Assets and scope: Web app, mobile app, external infrastructure, IoT, API to be tested, as well as their respective URLs, domains, IPA, APK etc.
   • Objectives: the type of findings and scenarios you are interested in, the weaknesses that you would like the hackers to evaluate, your expectations and concerns to orientate the hackers in their assessment.
   • Rules: Rules of engagement, disclosure policy and exclusions.
   • Budget and Bounties: you decide the exact budget and amount of the rewards. Each reward is based on its level of severity. It’s good to keep in mind that your offering plays an important role in determining who participates in your program. The idea is for the prizes to be as incentivising and attractive as possible for the security researchers!
2. Definition of your level of privacy
   Then you will need to specify between an open or public program and a private “invite only” program.Public/open programs are listed on the CyScope platform and available to all researchers registered on our platform. Users can see the program and submit their reports. This option is usually recommended to evaluate large scopes, and to ensure the participation of a very large number of participants using different techniques and attack vectors.

   Private or invitation only programs are those where only a select number of security researchers are invited to participate and will not appear in our website’s public list of programs. Private programs are great to evaluate the security level of sensitive assets.Additionally, ff this is your first time trying out a bug bounty platform, we recommend the private option as a perfect starting point, to better understand the results, to get familiar with the process and to get to know the talents who are part of the Community.

3. Definition of your level of autonomy
   In this step you can specify the level of support you’d like from the CyScope team. For time and resources reasons you may prefer to use the services of our internal analysts available 5/8 to review, classify, reproduce, and validate all the findings reported by the hackers, and also to execute the retest once the issue has been fixed.After following these steps, you’re all set up and ready to launch your program!
4. Execution of the program
   Our ethical hackers will register to your program and start testing your systems and infrastructure in the lookout for vulnerabilities. Once they find one, they prepare a detailed report and submit it for validation.At CyScope, we often see the first valid vulnerability reports arriving within 24 hours!
5. Findings evaluation, validation and pay out
   You will be notified by email any time a vulnerability has been discovered. For more transparency, you have access to real time results and information, and you can interact with hackers through the platform via a secure chat zone to clarify any doubts on the results.

Each report includes a detailed description of the vulnerability, the steps to recreate it and the countermeasures to fix it. If the finding is defined as valid, the payment of the reward is approved, and it will be further be managed by CyScope’s finance department.

Our platform also provides you with access to filtered and prioritized security reports that allow for a quick mitigation process. Once your internal team has fixed the issues found, you can request a retest to the CyScope’s team to verify the success of the remediation process.

By the end of the process, if you’re satisfied with the achieved results, you can easily expand the scope or start a new program at any time!