In bug bounty programs, having an open scope is quite possibly the single most effective thing your organization can do to help secure your external attack surface. It leverages the power of the whole crowd to find and identify any exposures your organization may have online, and most of the time, there’s a lot more out there than you realize.
What is a scope?
A scope is the defined set of targets that have been listed by an organization as assets that are to be tested as part of a particular engagement. Things that are listed as “in-scope” are eligible for testing, and things that are “out of scope” are to not to be tested.
If you think of scope as a spectrum, there are three main categories that programs fall under. Where you fall could determine the effectiveness of your program reaching researchers and the overall success of your program.
Three main types of scopes:
- Limited Scope: a limited scope on a bug bounty program only includes a single or specific target(s).
- Wide Scope: a wide scope bounty program is one that includes a wildcard to the in-scope targets.
- Open Scope: an open scope bounty program is one that has no limitations on what researchers can or cannot test, so long as the target/asset belongs to your organization.
For programs that currently fall under (1) or (2), considering a move toward open scope is almost always a good idea. If you’re feeling unsure, don’t worry: Most organizations and bounty programs take a systematic progression over time. It’s common to start with a basic or limited scope, move to a more expansive, limited scope, then to a wildcard, and finally, to an open scope.
Why is expanding your program’s scope important?
Threat actors aren’t asking for permission to use an open scope; they don’t have to play by any rules, and they aren’t going to limit themselves to entering through your “front door.” So, limiting what defenders can test only creates more disadvantages. For that reason, an open scope program is not only useful, but necessary: There are few actions that are more potentially effective in improving security posture than running an open-scope bug bounty program.
Ready to start moving your program toward an open scope?
The best place to start is by talking to your Bugcrowd Success Team – your TCSM will help provide guidance, recommendations, and support for whatever you need to get going. Bugcrowd is here to help you secure your organization, and we know that open scope is a critical part of your security journey. To learn more about Open Scope, check out this guide.