Legal question about starting bug bounties

Hello people :wave:

I’m a bug bounty noob with a simple question about the legal aspect of bug bounties and vulnerability disclosure programs.

I’ve spent some times on bugcrowd and hackerones trying to find public bug bounties and VDPs to start my hacking journey. However, I quickly realized there were no buttons to subscribe or make your hacking known to the company you’re interested in so here is my question:

Once I have read about the guidelines and policy of a program (no matter whether this is a bug bounty or a VDP), can I legally go on a domain owned by the company and start active recon and hacking or is there another step I’m unaware of to follow before I start interacting in any way with the target ?

Sorry if my question might seem silly, but I’d rather ask to avoid getting in trouble later.

Thank you in advance for your answers (and don’t hesitate to tell me if my post wasn’t clear enough, english is not my native language and I haven’t used it in a while.) :slight_smile:

Hey @Dustbinary! Organisations explicitly state their requirements and rules to follow in each brief. If it’s not explicitly in-scope it is out of scope. It’s also important to make sure you read the individual program rules! You can read more about this here: Reviewing Bounty Briefs | Bugcrowd Docs.

Additionally, some programs will offer safe harbour (you can read more here: and Safe Harbor | Bugcrowd Docs) where they commit to a set of core terms (GitHub - disclose/dioterms: Open-source vulnerability disclosure policy templates.)

Hi @drunkrhin0,

Thanks for your answer, it’s a bit clearer. I didn’t know what safe harbour was :slight_smile:

So if I get you well, as long as a domain is in-scope, I can, for example, start right away to scan it with nmap (as long as scanning is not forbidden in the program) or try to hack it? No need to make myself, my IP address or anything known to the target as long as it is not required in its program?

Yep! Just double check the rules and make sure they don’t prohibit nmap scanning for example. No need to make an IP address known or anything so long as it’s not required.

I’ll use the Bugcrowd program itself as an example: Bugcrowd’s bug bounty program - Bugcrowd

As shown in the image below these assets are marked as in-scope. You have consent to scan these assets or try to hack them.

You can also see specific exclusions for the particular program here:

Finally towards the bottom you can see the Safe Harbor and program rules section

Thank you @drunkrhin0.

I was having a doubt about how to proceed to start but it’s much clearer now. That was all for my questions :slightly_smiling_face:

1 Like

Hi @Dustbinary ,

I had the exact same question! Thank you for asking!!
I’m also extremely new to this.

Good luck!

1 Like