I’m a bug bounty noob with a simple question about the legal aspect of bug bounties and vulnerability disclosure programs.
I’ve spent some times on bugcrowd and hackerones trying to find public bug bounties and VDPs to start my hacking journey. However, I quickly realized there were no buttons to subscribe or make your hacking known to the company you’re interested in so here is my question:
Once I have read about the guidelines and policy of a program (no matter whether this is a bug bounty or a VDP), can I legally go on a domain owned by the company and start active recon and hacking or is there another step I’m unaware of to follow before I start interacting in any way with the target ?
Sorry if my question might seem silly, but I’d rather ask to avoid getting in trouble later.
Thank you in advance for your answers (and don’t hesitate to tell me if my post wasn’t clear enough, english is not my native language and I haven’t used it in a while.)
Hey @Dustbinary! Organisations explicitly state their requirements and rules to follow in each brief. If it’s not explicitly in-scope it is out of scope. It’s also important to make sure you read the individual program rules! You can read more about this here: Reviewing Bounty Briefs | Bugcrowd Docs.
Thanks for your answer, it’s a bit clearer. I didn’t know what safe harbour was
So if I get you well, as long as a domain is in-scope, I can, for example, start right away to scan it with nmap (as long as scanning is not forbidden in the program) or try to hack it? No need to make myself, my IP address or anything known to the target as long as it is not required in its program?
Yep! Just double check the rules and make sure they don’t prohibit nmap scanning for example. No need to make an IP address known or anything so long as it’s not required.
