Getting started with community security takes less than 2 minutes. Get started by following these 3 simple steps:
- Design Your Community Security Page: Start by designing an amazing page with your brand colors. This page is hosted on www.getastra.com & anyone looking to report a vulnerability will report from this page. An example of Astra’s community security page can be found here. Now all you have to do to make a page like this is:
- Go to ‘General Information’ under the Community Security tab of your Astra dashboard
- Add your company logo
- Set Program Status from Published, Draft or Unlisted. Here’s what they mean:
- Published: This means that your program is published on our website & indexed by search engines. Often hackers search for terms like ‘your-business-name report a vulnerability’. If your program is in ‘Published’ mode it will be visible to search engines and listed on our community security programs directory.
- Unlisted: If your program is unlisted, it won’t be indexed by search engines & won’t be listed on our programs list. This means, the only way a hacker can find this page is via your website or if you send them this link to report the vulnerability.
- Draft: As the name suggests, the program is not live and currently being edited by you or your colleagues.
- Add your company name followed by URL you’ll like the program to have on our website. It could your company name or something random. P.S. make sure that there shouldn’t be any spaces in the URL. Add multiple words with ‘-‘ between them (eg. /astra-security and not /astra security).
- Add your website followed by one line about your business, it could be your tagline too.
- Further, you can add your unique brand color to the page by giving hex of your brand.
- Click on ‘Save security page’ and voila! You have a new community security program 😀
- Edit Program Policy: From our experience, we’ve made the best-suited program policy for you. If you want to add more points to it, please feel free to do so. Usually, the program policy fits all businesses out of the box. P.S. It’s not a legal advise from us though.
- Scope: Add your website/app URLs in the scope so that no hacker tests or report anything beyond the scope defined by you.
- Rewards: Define what rewards you would like to give to hackers. Here are some options we already have for you:
- Hall of Fame: After Astra’s security engineers find a bug reported to be valid & you get it fixed – hackers are put on an exclusive hall of fame page of yours! It’s like a pat on the back of the good guys 🙂 Here’s how it looks:
- Cash Prizes: On an average one vulnerability in business can cause a loss of $5000! Now, if you’d like to reward hackers with a small cash bounty it’ll really go a long way for them considering the efforts they put. Cash rewards can start from as low as $10 to whatever you deem correct.
- Merchandise: Offer exclusive coupons of your store or your business t-shirt or absolutely anything that says thank you to them!
- Other: If there’s anything else in your mind please feel free to list (job/project/a coupon etc).
The above steps take 2 minutes for you to get started with Astra’s community security program! If you have more questions, please feel free to reach out to us at firstname.lastname@example.org.