Roles & Licensing¶
RedPick uses a unified role-based access control system. All users (internal staff, licensed clients, bug hunters) log into the same application — desktop or web dashboard — with different levels of access based on their role and license tier.
Roles¶
admin — Platform Administrator¶
Who: BeDefended internal staff responsible for managing the platform.
Access: Everything. User management, settings, webhooks, approved targets, CI/CD, vulnerability library, monitoring, assignments, cost tracking, ticket management.
Can do:
- Manage all users (create, edit, delete, assign roles)
- Configure webhooks, SIEM integrations
- Manage approved targets and scope
- View all engagements, findings, reports
- Launch pentests, use terminal
- Manage licenses
- View and resolve support tickets
- Access all engagement sub-pages (chains, timeline, compliance, threat model, etc.)
pentester — Internal Pentester¶
Who: BeDefended security consultants who run penetration tests.
Access: All testing and analysis features, but no platform administration.
Can do:
- Launch automated pentests (
/pentest) - Use terminal, knowledge refresh
- Full access to all engagement sub-pages
- Generate reports with any template
- Use Burp/Caido extension + AI proxy analyzer
- View confidence calibration, learning, compare tools
- View and resolve support tickets
Cannot do: User management, settings, webhooks, approved targets, CI/CD admin, cost tracking.
client — Licensed Client (Self-Service PT)¶
Who: An external company that purchased a BeDefended license to run automated penetration tests on their own applications.
Example: "Acme SRL" buys a Professional license. Their security team installs the desktop app, connects Burp Suite, and runs /pentest against their webapp. They generate reports with their own branded DOCX template.
Access: Focused on running tests and viewing results. No internal tools.
Can do:
- Launch automated pentests
- View their engagements: Overview, Findings, Report, Generate Report, Compliance, Executive Brief
- Upload their own report DOCX template
- Upload RSA public key for encrypted report delivery
- Proxy History (Professional+ license with
proxy_manualfeature) - Submit bug reports
Cannot do: Terminal, Knowledge Refresh, Vuln Library, Webhooks, Confidence, Learning, Tool Compare, Assignments, Costs, Monitoring, CI/CD.
client_viewer — Read-Only Client¶
Who: The technical contact or manager at a company that BeDefended is testing. They don't run tests — they receive results.
Examples:
- CTO: Commissioned a pentest from BeDefended. Logs in to see findings in real-time as they're discovered.
- Auditor: Needs read-only access to verify compliance reports.
- Dev Lead: Reads findings and remediation suggestions so the team can fix vulnerabilities.
Access: Read-only view of assigned engagements.
Can do:
- View their assigned engagements: Overview, Findings, Report, Compliance, Executive Brief
- Download reports (plain or encrypted with their RSA key)
- Upload RSA public key for encrypted delivery
- Submit bug reports
Cannot do: Launch pentests, generate reports, use proxy, terminal, or any admin/analysis features.
bughunter — Bug Bounty Hunter¶
Who: Independent security researchers or teams who participate in bug bounty programs on platforms like HackerOne, Bugcrowd, Intigriti, YesWeHack.
Example: A freelance bug hunter buys a Bughunter license. They connect their HackerOne account, sync programs, run automated scans against in-scope targets, then push findings as reports directly to the platform.
Access: Focused on bug bounty workflow — recon, scanning, findings, platform integration.
Can do:
- Launch automated pentests (with
--bug-bountymode) exclusively against in-scope targets from synced BB programs - View engagements: Overview, Findings, Report, Generate Report, Proxy History, Scan Intel
- Connect bug bounty platforms (HackerOne, Bugcrowd, Intigriti, YesWeHack)
- Sync programs, scope, bounty tables
- Push findings as reports directly to platforms
- Track submissions: status, bounty amount, payout stats
- Use Burp/Caido extension + AI proxy analyzer
- Submit bug reports
Cannot do: Terminal, Knowledge Refresh, Vuln Library, Webhooks, Confidence, Learning, Assignments, Costs, Monitoring, CI/CD. Cannot scan arbitrary/private targets — only targets present in synced BB program scopes.
Scope enforcement: When a bughunter launches a pentest, the target URL is validated against
scope_jsonfrom all their synced bug bounty programs. If the target doesn't match any in-scope asset on any platform, the session is blocked (HTTP 403). The--bug-bountymode flag is also mandatory. This prevents bughunters from using their subscription to scan private targets as if they were pentesters.
Role Comparison Matrix¶
| Feature | admin | pentester | client | client_viewer | bughunter |
|---|---|---|---|---|---|
| Dashboard | Yes | Yes | Yes | Yes | Yes |
| Pentest Sessions | Yes | Yes | Yes | - | Yes |
| Terminal | Yes | Yes | - | - | - |
| Knowledge Refresh | Yes | Yes | - | - | - |
| CI/CD Reviews | Yes | - | - | - | - |
| Vuln Library | Yes | - | - | - | - |
| Webhooks | Yes | - | - | - | - |
| Approved Targets | Yes | - | - | - | - |
| Confidence | Yes | Yes | - | - | - |
| Monitoring | Yes | - | - | - | - |
| Learning | Yes | Yes | - | - | - |
| Assignments | Yes | - | - | - | - |
| Costs & ROI | Yes | - | - | - | - |
| Tool Compare | Yes | Yes | - | - | - |
| Compare Engagements | Yes | Yes | - | - | - |
| Settings | Yes | - | - | - | - |
| Ticket Management | Yes | Yes | - | - | - |
| Submit Tickets | Yes | Yes | Yes | Yes | Yes |
| --- | |||||
| Engagement: Overview | Yes | Yes | Yes | Yes | Yes |
| Engagement: Findings | Yes | Yes | Yes | Read | Yes |
| Engagement: Chains | Yes | Yes | - | - | - |
| Engagement: Timeline | Yes | Yes | - | - | - |
| Engagement: Report | Yes | Yes | Yes | Yes | Yes |
| Engagement: Generate Report | Yes | Yes | Yes | - | Yes |
| Engagement: Retest | Yes | Yes | - | - | - |
| Engagement: Access Matrix | Yes | Yes | - | - | - |
| Engagement: Compliance | Yes | Yes | Yes | Yes | - |
| Engagement: Surface Drift | Yes | Yes | - | - | - |
| Engagement: Remediation | Yes | Yes | - | - | - |
| Engagement: Threat Model | Yes | Yes | - | - | - |
| Engagement: Executive Brief | Yes | Yes | Yes | Yes | - |
| Engagement: Retro | Yes | Yes | - | - | - |
| Engagement: Attack Sim | Yes | Yes | - | - | - |
| Engagement: Proxy History | Yes | Yes | License | - | Yes |
| Engagement: Scan Intel | Yes | Yes | - | - | Yes |
| --- | |||||
| Bug Bounty Platforms | Yes | Yes | - | - | Yes |
| Upload Report Template | Yes | Yes | Yes | - | - |
| Upload Public Key | Yes | Yes | Yes | Yes | Yes |
| Encrypted Report Download | Yes | Yes | Yes | Yes | Yes |
License Tiers¶
Licenses apply to external users (client, client_viewer, bughunter). Internal staff (admin, pentester) don't need a license.
Client Tiers¶
| Essentials | Professional | Enterprise | |
|---|---|---|---|
| Target audience | SMB, 1-2 apps | Mid-size, app portfolio | Large organization |
| Users | 3 | 10 | Unlimited |
| Engagements/month | 5 | 20 | Unlimited |
| Devices | 6 | 20 | Unlimited |
| Automated pentest | Yes | Yes | Yes |
| Custom report template | Yes | Yes | Yes |
| Compliance mapping | - | PCI-DSS, SOC2 | All frameworks |
| Burp extension + AI analyzer | - | proxy_manual |
Yes |
| Executive Brief | - | Yes | Yes |
| Webhooks & SIEM | - | Yes | Yes |
| API access | - | Read-only | Full |
| CI/CD integration | - | - | Yes |
| Encrypted report delivery | Yes | Yes | Yes |
Bughunter Tiers¶
| Solo | Team | Pro | |
|---|---|---|---|
| Target audience | Solo researcher | Small team (2-5) | Full-time BB team |
| Users | 1 | 5 | 15 |
| Platform connections | 2 | 5 | Unlimited |
| Pentests/month | 10 | 50 | Unlimited |
| Bug Bounty mode | Yes | Yes | Yes |
| Direct platform push | Yes | Yes | Yes |
| Submission tracking | Yes | Yes | Yes |
| Payout dashboard | - | Yes | Yes |
| Burp extension + AI analyzer | Yes | Yes | Yes |
| Recon + Discovery | Yes | Yes | Yes |
| Scan Intel | - | Yes | Yes |
| Collaboration | - | Yes | Yes |
Encrypted Report Delivery¶
Reports can be delivered encrypted using hybrid RSA + AES-256-GCM encryption.
Flow¶
- User uploads RSA public key:
POST /api/v1/auth/me/public-key(PEM format, 2048+ bits) - Server encrypts report: Random AES-256 key encrypts the file, RSA-OAEP encrypts the AES key
- User downloads encrypted report:
GET /engagements/{name}/report/download/encrypted - Client decrypts locally: Uses private key (never leaves the device) to decrypt
Security properties¶
- End-to-end: Even if the server is compromised, reports are encrypted at rest per recipient
- Forward secrecy: Each report uses a unique AES key
- Non-repudiation: Only the holder of the private key can decrypt
- Algorithm: RSA-4096 OAEP + AES-256-GCM (NIST approved)
Ticketing System¶
All users can submit bug reports and feature requests via the built-in ticketing system.
User flow¶
- Click "Report Bug" in the app (any role)
- Fill in: title, description, category (bug/feature/question), priority
- Environment info (app version, platform) is auto-collected
- Ticket is created in the database AND automatically pushed as a GitHub Issue to
sbbedefended/redpick
Admin flow¶
- View all tickets in the dashboard (admin only)
- Update status: open -> in_progress -> resolved -> closed
- Add resolution notes
- When resolved/closed, the corresponding GitHub Issue is automatically closed
GitHub sync¶
- Issues are created via
gh issue create --repo sbbedefended/redpick - Labels:
bug/enhancement/question+priority: X+user-reported - Issue title format:
[Ticket #ID] Original title - Body includes: reporter email, category, priority, platform, description
- Resolution syncs back: closing a ticket closes the GitHub issue