A well-defined scope is crucial in a crowdsourced security program, as it clearly tells researchers what they can and cannot test within the boundaries of the engagement. A narrow scope may result in coverage and testing gaps, while an overly broad scope may distract resources and time-constrained hackers from focusing on what's needed. It's essential to expose as much of your footprint as possible, tier assets based on their value, and evaluate how you'll handle submissions that are valid but out of scope. The focus areas section should include specific situations, such as new features or attack vectors, while providing high-level information and relevant documentation around in-scope assets. Out-of-scope sections clearly outline what is not allowed, including exclusions and ratings. Rewards should be linked to a specified priority level on the program brief, with rewards matching or exceeding market value, and growing over time. Finally, the disclosure and rules section outlines the policy on disclosure, as well as any supplemental guidelines for participation, ensuring clarity and consistency for all parties involved.