Scoping & Asset Management

Clear scope keeps researchers focused and your legal teams confident. NidFul gives you tooling inspired by NidFul's policy manager, with extra attention to regional infrastructure realities.

Build Your Asset Inventory

1. Upload a CSV of domains, subdomains, APIs, and mobile package identifiers.
2. Categorise assets by sensitivity (critical, high, medium, low).
3. Tag assets with owners—product squads, infrastructure teams, or vendors.

Define In-Scope vs Out-of-Scope

• Include production systems that handle customer data or payments.
• Explicitly cover staging or sandbox environments if they reflect production.
• Exclude third-party services you do not control, unless agreements exist.
• List prohibited techniques: DDoS, spam, social engineering, destructive testing.

Version Your Policy

• NidFul stores policy revisions with timestamps and diff views.
• Announce scope changes via researcher notifications and RSS feeds.
• Keep at least 30 days’ notice before removing payouts for specific vulnerabilities.

Regional Considerations

• Clarify data residency (Nigeria, South Africa, EU) to address cross-border laws.
• For telecom partners, reference regulator guidance (e.g., NCC, ICASA).
• Provide local contact windows for critical issues impacting essential services.

Automate Updates

• Enable the Scope Drift Monitor to flag DNS changes or certificate mismatches.
• Integrate with your CMDB or asset management tools.
• Schedule quarterly scope reviews with product and legal teams.

Communicate Transparently

• Use clear examples—“Report IDOR on api.examplebank.ng/user/transfer”—to set expectations.
• Provide contact channels for urgent out-of-scope discoveries to avoid disclosure delays.
• Offer feedback when researchers propose additional assets to include.

Next, explore Triage & Remediation Workflow to operationalise how findings move from inbox to fix.