There are immediate and long-term benefits to investing quality time and effort into your engagement brief. Whether you’re just starting your cybersecurity journey or a veteran of the game, equipping your brief with the tools for success will immensely benefit your engagement performance. In this blog post, I walk you through how to write an accurate and well-articulated brief to incentivize hackers to hunt on your engagement. Specifically, I’ll go over several key considerations:
- Key information to include
- Optimizing the length of the brief
- Unhelpful information and discouraging statements.
Before we dive deeper, allow me to introduce myself! My name is Rami 👋. I’m a Security Solutions Architect at Bugcrowd. My goal is to help you optimize your Managed Bug Bounty (MBB) and get the most value out of your engagements. My work is generally carried out behind the scenes, but nevertheless, I’m often the person your TCSM will go to for advice! Topics I discuss with TCSMs include reward amounts, incentive programs, escalations, and anything giving our customers any trouble. I’ve helped countless customers stand out to hackers and increase their engagement levels and I’m going to do the same for you.
There are a few key things I’d like to remind you about:
A compelling brief is so useful in helping CrowdMatch do it’s thing, but there are also endless other benefits you may not have thought of. It’s truly worth taking a little extra time to improve your brief’s structure, clarity, and content, ensuring it offers helpful guidance. With a well-written brief, you can expect to attract the right hackers with the right experience and skill set, which paves the way for efficiency and consistent, high-quality activity. And of course, a clear brief minimizes confusion and maximizes focused efforts right out the gate. Remember: clarity and transparency foster a wonderful sense of trust between your organization and the hackers.
To attract people to your organization’s engagement, we have to incentivize them! Hackers have a lot of choice when it comes to projects they can work on, with varying scopes, rewards, incentives, and more. The options are endless, and a well-written brief both brings in new hackers and keeps loyal ones coming back. Here are a few easy ways to incentivize hackers:
- Rewards
- Communication
- Exciting scope
- Supporting material (like documentation)
- Quality-of-life improvements (like providing a mobile app with security features disabled or a custom sandbox for hunters)
- Bonuses, marketing, and excitement.
Gamification
Let’s quickly talk about “gamification.” It simply means incorporating game-like elements into non-game contexts to enhance engagement and participation. You’re most likely familiar with these techniques—think of leaderboards, achievements, and rankings.
Now let’s talk briefly about psychology, specifically the two types of motivation and how they can help you with crafting an excellent program brief. There are two types of motivation:
- Extrinsic motivation is known as outcome-based motivation.
- Intrinsic motivation is known as purpose-driven motivation.
Yu-Kai Chow developed the octalysis framework outlining eight core drivers that affect motivation. Here’s how you can leverage the framework to write a compelling brief based on the following core tenets.
In-platform guidance starting with title and tagline
Before discussing your own engagement, let’s start with the engagements page. This is where hackers can browse and filter engagements according to their preferences. When a hacker browses the engagements, they see something like this 👇:
There are a few key things to look at here:
- If an engagement is public or private
- The title
- The tagline
- The reward range
- Scope indicator
The title and taglines are impactful, but they’re often misused. You want them to click into your engagement, not anyone else’s!
Your engagement title
The most important piece of advice I have to give here is: use a recognizable name. Sometimes, organizations choose to list parent company names, but most people probably aren’t familiar with the parent company name. For example, Commonwealth is the parent company of Bankwest. While Commonwealth is a recognizable name, it does not explain all the entities involved in the engagement.
Your engagement tagline
This is your elevator pitch. Tell hackers who you are and make them want to choose your engagement.
Don’t say ❌: “Come hack us”—it’s obvious and lacks information.
Do say ✅: A descriptive hook statement about your organization. It should be unique to you and provide enough information to entice someone to want to learn more.
Designing the brief page
Your engagement page will look something like our public demo program Hack Me!:
This is where the hacker retrieves all the details about your engagement, such as who you are, your engagement’s scope, and any rewards and incentives. This is also their first step toward hacking on your engagement! Your TCSM will help you mold and refine the brief page, but here are some immediate steps you can take on your own.
The unofficial intro section
At the top of the brief is space for a small blurb, or as I like to call it, the unofficial intro section. We want to achieve three things here:
- Provide a note of gratitude—Thank hackers for taking the time to choose you.
- Offer a brief overview—Give hackers a brief overview of who you are and what you do.
- Highlight anything really cool or special.
This section is incredibly important and often misused. This is the screen version of high-value real estate—treat it like a billboard in Times Square. If you don’t have anything extra to say, leave it blank, allowing the hacker to see the scope and rewards quicker (that’s why they’re included here!).
Ratings/rewards
This is a standard section. It typically states that your organization follows the VRT. If you intend to include one or two small changes (e.g., “Vulnerability will be considered P3 unless further impact is shown”), that’s fine. If you have a ton of changes that divert from the VRT, I recommend leaving that for a later section.
If you don’t use the VRT here, state which classification method you use, such as CVSS. That being said, the VRT has been refined over several years and is overseen by an active VRT council that monitors changes in the industry. I highly recommend using VRT.
I wrote the changes for VRT 1.12 to include AI application security. Check it out.
Deciding on scope
This is where we get into the good stuff! A compelling scope is essential to your MBB.
This section is dependent on who you are and what you have in scope. Always lead with what’s in scope first, followed by what’s out of scope or any restrictions. Placing too much out of scope or narrowing your scope too much can disincentivize hackers.
How to communicate what’s in scope
I suggest following a pretty simple formula: Create a single in-scope target group and ensure it is in order before creating categorized target groups. When creating a single in-scope target group, make sure to give your TCSM as much information as possible. This allows them to assign appropriate target tags and helps CrowdMatch do its thing. Along these lines, when creating categorized target groups, group the targets in a way that is custom to your unique products and systems.
Quick word of advice: Saying “anything we own” as in scope is risky. Hacking is still illegal unless consent is given. We want to carefully guide hackers toward the right places. It’s fine to add this as a target, but “anything we own” should not be the only target. I’ll talk more about this later.
Lastly, If you’re going to include mobile targets, check out my Twitter thread here for advice.
Communicating what’s in scope as a parent company
If you’re a parent company, split your engagement up according to your child companies and group relevant information in the target group description.
Communicating your out-of-scope target group
There’s the “target group,” and there’s the “section.” The target group is explicitly related to the target. The “section” is used for enhancing clarity. Customers often confuse these and spread information out between the two areas, leaving hackers confused.
There are two primary functions of the target group:
- Ensure hackers can navigate to property you DO own.
- Ensure hackers do not navigate to property you DON’T own.
If you have a brand name that may exist in other regions/industries, be sure to call that out to avoid confusion. For example, consider store.com.au and store.com—mark the latter as out of scope to assist hackers.
It’s important to be clear with your targets. This is because hackers will often start by adding scopes into commonly used hacking tools, like Burp Suite. The target group is also a great spot to mention third-party dependencies you may not be responsible for.
Target information
Often, customers ask me for a “black box” or “like a real adversary” setup. Customers are interested in this route because it provides the most realistic scenario imitating a malicious threat. The downsides to this are you’re paying bounties based on valid exploits, not time like a pen test. This usually results in an expensive red team exercise. Also, you’re not paying for someone to bypass a web application firewall (WAF). You’re in big trouble if someone finds a WAF bypass and your stuff is insecure.
Don’t forget: DOCUMENTATION. Help the hackers—don’t prevent them from doing their work. This is one of the easiest ways to get someone up to speed. You can achieve this through the following:
- An engineering site
- Swagger
- A word doc in the file attachments.
Remember: The more you can provide, the better!
Granting access to your target
Granting hackers access to your engagement early on is the best way to let them know how to access and authenticate accordingly. Every target is different, and every hacker has different specialties.
There are some important things to consider when opening up your engagement for hackers. Addressing these considerations will make it easier for them to get started and quickly provide you valuable information on your engagement.
When granting access, ask yourself these questions:
- Where can a hacker access our target?
- How do they access the target?
- Are there certain procedures?
- Is there anything they should know?
Providing credentials to your target
If you have multiple sets of credentials, it’s helpful to inform hackers of this and the functional differences between them. This is especially helpful in relation to learning platforms where there are often two accounts, such as a student and a teacher.
It’s helpful here to inform the hacker if they need to do any of the following:
- Sign themself up using their bugcrowdninja email.
- Request pre-allocated credentials provided through Bugcrowd.
- Seek unauthenticated access.
Providing self-sign access will grant you the best results because you’ve given the hacker the most access and ability to manipulate the data.
In contrast, unauthenticated programs can be limiting, especially if little to no functionality exists in the scope set out.
Focus areas
This is your chance to guide the hackers to areas most important to you. Common uses of this are as follows:
- To test new product releases
- To address certain areas of concern
- To protect certain assets that may need the largest risk mitigated.
Some customers list the OWASP top 10. There’s nothing wrong with this, but it’s the top 10 list for a reason. Hackers will almost always look for this. Use your engagement as an opportunity to get on your soapbox and identify the best value. Hackers reap the benefits of easy-to-follow directions and opportunities to earn rewards, and you get the bugs.
Out of scope
- Define out-of-scope activities, not targets, unlike the previous target group.
- Don’t use this area to discuss legalities. This is discussed in our Terms and Conditions (T&Cs), in the safe harbor section, and when hackers sign up to the platform.
- This section can get pretty long. Be mindful of your overall brief size.
Quick tip: instead of listing several conditions, generalize statements to limit actions that may negatively affect Confidentiality, Integrity, and Availability (CIA) for stakeholders. Hackers choose to hack with Bugcrowd to do the right thing and follow ethical protocols. There is no need to make this list overly long.
Safe harbor
To simplify the idea of safe harbor, it’s essentially agreeing that you won’t pursue criminal charges.
If you fail to list partial or safe harbor stipulations with your engagement, hackers might be deterred from your engagement, as they might fear you’ll send them to jail. Hackers hack on crowdsourced security platforms to do the right thing, not the wrong thing.
Extra quick-fire tips 💥
- Show known issues in the brief.
- Use Crowdstream as a guide.
- Some customers like to list timelines.
- Pay hackers quickly!
- Ensure your rewards match the hoops hackers have to jump through.
Conclusion
Thanks for taking the time to read my blog post about writing a compelling brief. I hope you found this helpful!
If you’d like to hear more from me, check out my last blog post where I help demystify and clarify the best type of crowdsourced offering for your organization.
If there are more topics you’d like to hear a TSCM cover, I’d love to hear from you! You can find me on Twitter and LinkedIn.
