The Bugcrowd Code of Conduct outlines the behaviors required of all Bugcrowd community members participating in crowdsourced security programs, Bugcrowd online community offerings such as the Bugcrowd Community Forum and IRC channel #bugcrowd, the Bugcrowd Researcher slack channel, Discord, Bug Bashes, as well as any other programs and events that may be offered by Bugcrowd.
This Code of Conduct applies to all interactions you have with Bugcrowd team members, customers, and researchers. The Bugcrowd community is intended for everyone, from all walks of life, and following this Code of Conduct will help ensure that we maintain a safe and welcoming place for all. Please take a moment to learn more about Who We Are and our standard requirements to understand the platform culture of all Bugcrowd participants.
Who We Are and What We Require
Our top core values are simple. We don’t believe in unnecessarily complicating things.
- Be Kind.
- Be Respectful and Professional in your communications and behavior.
- Be Ethical. Don’t intentionally mislead customers or Bugcrowd. It is your job to try and break both technology and business logic flaws, but when you find a weakness it is also your job to report it to be fixed – not exploit it.
- Help us improve. We do this through honest and insightful discussions with our peers and partners.
Vulnerability Reporting Standards
Be prompt in reporting vulnerabilities you have identified.
- Disclosure Guidelines: Don’t share confidential vulnerability or customer information. Private program customers are private, and no submitted vulnerability (including duplicates, Out of Scope, Not Applicable, etc.) may be disclosed without explicit customer permission. Please read each Bounty Brief for specific program disclosure policies, which supersede (overrule) this policy. We expect everyone to use the proper channels to disclose or communicate about vulnerability submissions. Email Bugcrowd Support if you have any questions about disclosure.
- If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating the impact of the vulnerability; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information. In the event you access PII or other sensitive data, please note that you are required to follow all laws and regulations applicable to the access and processing of such personally identifiable information and/or data, such as the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679), including the European Commission’s Standard Contractual Clauses regarding the transfer of personal data to processors and the California Consumer Privacy Act of 2018, and the California Privacy Rights Act of 2020 once it becomes effective.
- It is not acceptable to create placeholder submissions that are used to “squat” on findings (e.g. reports that are rapidly submitted a vague title and no detailed replication steps in the initial report, etc); all valid findings must be submitted with a full description, proof of concept, and complete replication steps in the original report. In cases where the initial report is lacking a description, proof of concept, and replication steps, those reports will be closed, and must be re-submitted with the required information to be considered for the program. Please always submit complete, fully populated, and articulate reports.
- Read and abide by Bugcrowd’s Standard Disclosure Terms and each program’s Bounty Brief. We expect you to follow all guidelines and rules that a particular crowdsourced security program or company has outlined regarding scope of testing and disclosure. For more information on disclosure policies at Bugcrowd, visit the Researcher Documentation Centre, our Researcher Resources, or FAQ.
Get Started with Bugcrowd
Every minute that goes by, your unknown vulnerabilities leave you more exposed to cyber attacks.