You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We released fixes and performance optimizations to ensure consistent data between the Statistics page and the Submissions and Bounty dashboard.
18
+
We released fixes and performance optimizations to ensure consistent data between the Statistics page and the [Submissions and Bounty dashboard.](/programs/submissions-bounty-dashboard.html)
19
19
20
20
### Team Member Eligibility
21
-
Team member eligibility settings allow you to configure a list of email domains that are eligible to join your program. These settings will allow or block a user when accepting an invitation, but will not affect any users that are already a member of the program.
21
+
[Team member eligibility settings](./programs/team-member-eligibility.html) allow you to configure a list of email domains that are eligible to join your program. These settings will allow or block a user when accepting an invitation, but will not affect any users that are already a member of the program. You can set team member eligibility regardless of saml usage.
Copy file name to clipboardExpand all lines: docs/programs/asset-based-credential-management.md
+33-61Lines changed: 33 additions & 61 deletions
Original file line number
Diff line number
Diff line change
@@ -11,71 +11,32 @@ Credentials can be granted based on Team or Asset. This setting can be changed b
11
11
### Asset-Based Credentials
12
12
Asset-based credential management has additional steps of downloading a template which contains some pre-filled information about your project. Once you complete and upload the template, credentials will be assigned to the specified hackers.
13
13
14
-
Programs can download their asset file; modify it and upload their CSV back.
15
-
16
-
#### CSV Format
17
-
When you navigate to the credentials area, you will see an option to first download the template which will auto-populate some of the fields with information from your project. The Asset ID and Asset information are required in the CSV when using Asset-specific credentials. The Assigned To column can be left empty if there is no credential inquiry required, and any hacker can claim the credentials.
18
-
19
-
For Team-specific credentials, those two categories are not required. See the example below.
14
+
Programs can download their asset file, modify it, and re-upload their CSV.
When you navigate to the credentials area, you will see an option to first download the template which will auto-populate some of the fields with information from your project. The **Asset ID** and **Asset information** are required in the CSV when using Asset-specific credentials. The **Assigned To column** can be left empty if there is no credential inquiry required, and any hacker can claim the credentials.
22
20
23
-
Asset ID
24
-
Asset
25
-
Assigned To
26
-
Username
27
-
Password
28
-
1
29
-
https://hackerone.com
30
-
hacker-john
31
-
John
32
-
john123
33
-
2
34
-
https://api.hackerone.com
35
-
21
+
**Note:** For Team-specific credentials, those two categories are not required. See the example below.
36
22
37
-
Jacob
38
-
jingleheimer123
39
-
3
40
-
https://hackerone-attachments.s3.amazonaws.com/
41
23
24
+
Asset ID | Asset | Assigned To | Username | Password
25
+
------ | -------
26
+
1 | https://hackerone.com | hacker-john | John | john123
27
+
2 | https://api.hackerone.com | | Jacob | jingleheimer123 |
Each hacker is allowed to claim one credential. If a hacker needs two logins, such as a regular account and an admin account, then both of those usernames and passwords can be put into the same credential for that hacker to claim. See examples below.
48
33
49
34
Table appearance:
50
-
Asset ID
51
-
Asset
52
-
Assigned To
53
-
Username
54
-
Password
55
-
Username2
56
-
Password2
57
-
1
58
-
https://hackerone.com
59
-
hacker-john
60
-
John
61
-
john123
62
-
JohnAdmin
63
-
johnadmin123
64
-
2
65
-
https://api.hackerone.com
66
-
jacob-123
67
-
Jacob
68
-
jingleheimer123
69
-
JacobAdmin
70
-
schmidtadmin123
71
-
3
72
-
https://hackerone-attachments.s3.amazonaws.com/
73
-
jane-hacks
74
-
Jane
75
-
jane123
76
-
JaneAdmin
77
-
janeadmin123
78
-
35
+
Asset ID | Asset | Assigned To | Username | Password | Username2 | Password2
@@ -85,45 +46,54 @@ The hacker provides the information via the program’s Policy Page.
85
46
86
47
When it’s not necessary to request information from the hacker before creating credentials, you can immediately add credentials.
87
48
49
+
[Add your credentials](./images/asset-based-2.png)
88
50
89
51
52
+
[What information do you need](./images/asset-based-3.png)
90
53
91
54
55
+
You will see a list of hackers that requested credentials and provided the needed information.
92
56
57
+
[hackers that requested credentials & provided info](./images/asset-based-4.png)
93
58
94
-
95
-
96
-
97
-
98
-
99
-
You will see a list of hackers that requested credentials and provided the needed information.
100
59
### Hacker Assignment
101
60
#### Claiming Credentials
102
61
103
62
When a program has an asset that does not require information from a hacker, the hacker can claim a credential via the program’s Policy Page. Once the credential is claimed by the hacker, the credential is automatically assigned to them.
[Assets with credentials](./images/asset-based-6.png)
105
67
106
68
#### Requesting Credentials
107
69
When a program has a credential inquiry, the hacker can’t immediately claim credentials. First, they need to request credentials and provide the necessary information.
108
70
109
71
Once the information is provided, the hacker is put on a waiting list until the Program Manager creates the credential and assigns the hacker to these credentials.
When creating a new credential and assigning the credential to a hacker via CSV upload. Once the credential is assigned the hacker is removed from the waiting list.
117
81
118
82
As the hacker provides the information, the Program Manager is notified every 5 days per e-mail. The information given by the hacker shows up in the list on the Credential Management page. From here you can download the list with credential inquiry responses.
To assign credentials to hackers, you need to create a CSV file with credentials and put the hacker’s username to the (already provided) Assigned To column. This column can be left empty if there is no credential inquiry required, and any hacker can claim the credentials.
122
88
123
89
When the credential is assigned to a hacker, the hacker is notified. If a hacker is not a whitelisted reporter in the program, an error is raised.
If a hacker has violated your policy or HackerOne’s code of conduct, you can revoke the credential rights of a hacker by clicking Revoke next to the username of the hacker. You'll also need to invalidate the account on your own platform to prevent the hacker from logging in and reset the password when you recycle the credential for another user.
@@ -132,3 +102,5 @@ Credentials are also automatically revoked when a hacker leaves a program for an
132
102
133
103
#### Delete All Credentials
134
104
If you want to delete all credentials on all the assets, click on the Reset button. This action will delete both the assigned and unassigned credentials.
0 commit comments