Platform changelog

For Companies 

Vulnerability Assessment with CVSS 4.0 Calculator 

What we did: We have integrated the CVSS 4.0 calculator into our platform, allowing companies to opt for this advanced vulnerability scoring system as an alternative to the existing CVSS 3.1 model. This setting can be configured at the company level via Admin settings and will apply to all future submissions. 

Why we did it: To provide our customers with a more precise, granular, and comprehensive method for assessing vulnerabilities. CVSS 4.0 offers improved alignment with real-world risk, addressing feedback from customers who require greater accuracy for their evolving security needs and risk management strategies. 

Who it helps: This feature benefits companies by enabling more accurate vulnerability evaluations, leading to better-informed remediation prioritization and resource allocation. It also fosters fairer assessments for researchers and enhances transparency in the evaluation process, reducing ambiguity and potential disputes. 

Read more about using the CVSS 4.0 calculator here 

For Companies  

Introducing asset management  

What we did: We have transitioned asset management from the program level to the company level, creating a centralized repository of unique company assets. Existing program domains have been migrated to this new company list, and duplicate domains (those with identical names and types) have been merged into single, unique entries.  

Company Admins can now create, edit (changes apply across all programs using the asset), and archive/unarchive assets centrally.  

Why we did it: The previous lack of a centralized asset list created operational inefficiencies, hindered accurate reporting (like submissions per asset or vulnerability trends), prevented a clear view of the attack surface, and blocked effective matching of researchers to relevant assets. This foundational change establishes a single source of truth for assets, improving data structure and resolving these limitations. 

Who it helps: This provides companies with a streamlined and unified way to manage their assets, reducing errors and inconsistencies. It creates a robust data foundation essential for future capabilities, such as detailed asset-level reporting, enhanced attack surface insights, and more effective matching of researchers to assets aligning with their skills and interests. Ultimately, it improves data quality and scalability for the entire platform. 

Read more about managing company assets here. 

Companies & Researchers 

'Informative' submission close Reason changed to neutral  

• What we did: Updated the 'Informative' submission close reason from positive to neutral. This change applies only to submissions closed from this date forward. Consequently, 'Informative' submissions will no longer impact validity ratios or program contributor status. 

• Why we did it: To ensure researcher validity ratios accurately reflect impactful contributions, enhance the fairness of evaluations, and address specific customer feedback requesting a neutral option. 

• Who it helps: This provides companies with a more accurate and reliable way to evaluate researcher performance based on impactful findings. It helps researchers by ensuring their statistics and reputation genuinely reflect the value they deliver through actionable vulnerability reports. 

Read more about submission close reasons here

Researchers 

Industry discovery feature 

• What we did: We added industry information tags to programs and specific skill tags to assets. 

• Why we did it: Offer researchers a more personalized guidance towards relevant opportunities right from the start. 

• Who it helps: This helps new and existing researchers find programs and assets matching their interests and expertise more easily, leading to increased activity and a better platform experience. Ultimately, this benefits companies by engaging a wider pool of relevant researcher talent. 

Companies

Updates to the LoA and Pentest Report

We've updated the Letter of Attestation (LoA) and Pentest Report exports. For completed comprehensive pentests, we've added pentest checklist items to the reports.

Advanced Search on Submission

Overview You can now refine your searches on the submission overview. When using the text search, you can choose specific fields within a submission to search (e.g., Title, Internal Reference, Submission Code), making it easier to find the submissions you need.

Companies

Custom Bounties in the Company API For larger customers using our Company External API, you can now override the standard bounty amount and award custom bounties when accepting submissions, offering you more flexibility in rewarding researchers over API.

Addition of a 4th and 5th Bounty Tier We've added two new bounty tiers to provide you with more flexibility in customizing your program rewards based on the importance, complexity, and maturity of your assets. More details about bounty tiers can be found in our Knowledge Base.

Pentesting Checklists You can now request researchers to complete a web application testing checklist when they perform a pentest for your program. This will help ensure a more structured testing process.

Improvements to Credentials Upload We've improved the credentials upload functionality to ensure that the order of credentials you provide is maintained within the platform.

Researchers

Enhanced Onboarding Experience New researchers joining the platform will now go through an onboarding process. This will allow them to provide more information about their skills and preferences, helping them personalize their experience on the platform.

Improvements to Markdown Editor We've introduced some minor improvements to our Markdown editor, which you use for submitting and discussing vulnerabilities, to make your experience even more seamless.

Researchers

Engagement Logs

We've added a new feature that allows you to share data on the amount of time you spend hunting on the domains of a program. By submitting engagement logs, you'll be able to see insights into where other researchers have been focusing their efforts. Please note that we are currently in the data-gathering phase for this feature.

Full-Screen Inline Images

You can now click on images within the platform to open them in full-screen mode for easier viewing.

Companies

Program Budget Notifications

Company admins can now configure a budget threshold to receive notifications when their program budget falls below a specified limit. This feature is perfect for companies seeking an early warning before their program risks automatic suspension. More details about the low-budget notifications are available in the Knowledge Base.

Delete Hybrid Program Drafts

Admins can now delete drafts of hybrid programs, just as they can for bug bounty drafts. While launching programs is always our goal , this update helps maintain a clean platform by allowing the removal of unneeded or mistakenly created drafts.

Submission retesting is here!

Now, companies can request retests for accepted submissions to ensure vulnerabilities have been resolved. Simply specify a bounty and deadline for the retest. The researcher will confirm if the issue is still present.

For more information, visit our latest changelog

Companies

PDF and CSV Export

Exporting submissions as PDF or CSV is now available through the latest version of the Company External API, providing more flexibility and accessibility in handling submission data.

Researcher Platform Statistics

We've refined the researcher overview to allow toggling between program-specific stats and overall platform stats, addressing previous confusion and enhancing clarity.

Hybrid Program Export Improvements

Numerous improvements have been made to the Letter of Attestation and Pentest Report exports for Hybrid programs, ensuring more accurate and comprehensive documentation.

Researchers

Active Researchers

Researchers can now mark themselves as active on any non-VDP bug bounty program. On a program detail page, researchers will have the option to indicate through a toggle in the ‘Program actions’ card that they are 'active on this program and open to collaborate'