The crowdsourced security space is evolving rapidly. At Bugcrowd, we have more first-time Program Owners than ever trying out crowdsourced security economics through our Vulnerability Disclosure Programs and hundreds who have transitioned to on-demand and ongoing Bug Bounty Programs.
We regularly ask Researchers and Program Owners for feedback on these programs; this feedback shapes our recommendations for what a bug is worth and the Vulnerability Rating Taxonomy and is integrated directly into our program models.
As a Researcher, we want to ensure you can make informed decisions about which programs best suit your preferences. It is important to note that all original and non-duplicate submissions are rewarded (whether cash or kudos only) based on their criticality, or “priority.”
Bugcrowd supports two program models: Vulnerability Disclosure Programs and Bug Bounty Programs.
Vulnerability Disclosure Programs
A Vulnerability Disclosure Program may take one of three formats:
- A vulnerability disclosure submission form hosted on bugcrowd.com/programs
- An embedded submission form on an organization’s security webpage
- A dedicated email address
What is the impact to your Researcher experience?
- The vulnerability reporting process for submission forms hosted on the bugcrowd.com/programs is identical to the reporting process for any public or private bounty program.
- Reporting vulnerabilities to either a dedicated email address or an embedded submission form will generate a claim link that is emailed to you, enabling you to claim the report on the platform.
From this point, the internal review process is the same as other Bugcrowd managed programs: the internal Security Operations team handles the program’s triage and facilitates any necessary communication between the Researcher and Program Owners about the submission.
****Important reward details for the Vulnerability Disclosure model:
- Unless otherwise noted, all Vulnerability Disclosure Programs featured on /bugcrowd.com/programs only award Kudos points. Any additional reward is at the sole discretion of a Program Owner.
Bug Bounty Programs
Bug Bounty Programs vary based on a customer’s business requirements. Some are run as an on-demand, time-boxed vulnerability testing model. Others are run as an ongoing vulnerability testing model, allowing researchers to test and submit vulnerability reports at any time.
A typical on-demand Bug Bounty Programs run for up to two-weeks with a predetermined reward pool. Bugcrowd handles the program’s triage and facilitates any necessary communication between the Researcher and Program Owners about the findings.
What is the impact to you as a Researcher?
With an on-demand Bug Bounty Program, the exact amounts for vulnerabilities fall within a minimum and maximum range (as outlined below), and are dependent on the overall volume/severity of vulnerabilities found by participating researchers.
Important reward details for an on-demand Bug Bounty Program:
- Each priority level has a predefined payout range.
- Payouts vary within the range, based on volume of awardable submissions; if there are many submissions which qualify, the payouts will trend towards the bottom of the reward range.
- In some cases where submission volume is unusually high, payouts might drop below the specified minimum amounts: we closely monitor all on-demand Bug Bounty Programs and temporarily pause them to work through all received submissions if we believe there is a risk of reward dilution.
- Default payout ranges are shown in the table below:
This model ensures that once an on-demand Bug Bounty Program ends and the submissions are reviewed by the Program Owner, you are paid out ASAP (payday is always Wednesday!)
An ongoing Bug Bounty Program typically does not have a specified end date and the reward pool is refilled at regular intervals. Bugcrowd handles the program’s triage and facilitates any necessary communication between the Researcher and Program Owners about the findings.
Important reward details for an ongoing Bug Bounty Program:
- Reward values are specified on the program’s bounty brief.
Rewards will be assigned at any time after a submission has been accepted and moved to the Unresolved state. Review the bounty brief as many organizations will specify when rewards are assigned; some may not assign a reward until the issue is fixed and moved to a Resolved state.
Got questions about bounty programs? Hit us up at firstname.lastname@example.org.