If you can’t find what you’re looking for, Contact Us.
Welcome and thanks for your interest in joining our researcher community! Here is a quick checklist to help you get started:
Before you can report bugs and be rewarded for your findings, you need to create a Bugcrowd account. Your Bugcrowd account also comes with a profile which can be made public (or private), enabling you to show-off your skills and accomplishments to security peers and industry professionals.
Bugcrowd offers many public programs for well-known brands on which you can hack, with many of them paying out cash as rewards. Each engagement has all of the details you need to start testing, including a list of targets, finding types that are in-scope and out of scope (or excluded), and many programs will list the rewards that they pay out.
If you’re new to crowdsourced testing you may be interested in reading some guides and articles from our researcher community.
Once you’ve found a security vulnerability, click the “Submit report” button on the program page.
After you’ve reported a bug you will receive a confirmation from Bugcrowd or the customer that is managing the program. If you don’t receive one within several days, use the Request a Response feature and we will help you out.
Make sure to fill out your profile information to tell the community a bit more about yourself. Many people use this page to show off their skills, as well as link to their personal websites and X accounts.
The Bugcrowd community team is here to make sure your bounty hunting experience is an awesome one. Whether you need help, have ideas or just want to say hello, we’ll get back to you as soon as we can.
Bugcrowd has many public programs on which you can hack on, with many of them paying out cash as rewards. Each program page has all of the details you need to start testing, including a list of targets, finding types that are in-scope and out of scope (or excluded) from the program, and many programs will list the rewards that they pay out.
If you’re new to crowdsourced testing you may be interested in reading some guides and articles from our researcher community. Our blog in particular offers many, many first-hand experiences.
After you’ve reported a bug you will receive a response from Bugcrowd or the customer that is managing the bounty program. If you don’t receive a response within several days, please use the Request a Response feature and we will help you out.
Have a question or concern? Contact support and we’ll help you out.
Valid and accepted bugs submitted to a paid bounty program will result in a payment to your account. After your bug is accepted by the program owner, your reward will be paid out the following Wednesday. Note that to be paid on time, you will need to be rewarded by 12:00am PT Wednesday morning in order to guarantee prompt payment.
Bugcrowd currently supports payments via Paypal and bank transfer. Please refer to our docs for information about how to set up payment methods.
Have more questions about getting paid? Reach out to the support team for more information.
Bug submissions that affect singular users, require interaction or significant prerequisites to trigger, non-exploitable weaknesses and “won’t fix” vulnerabilities all will receive a low priority rating.
Learn more about our community-driven Vulnerability Rating Taxonomy here.
Validation time can vary by program. If you have submitted a bug and have been waiting for more than two weeks for your bug confirmation, use the Request a Response (RaR) feature to formally request an update on a submission from either Bugcrowd’s triage team or program owner.
Congratulations on receiving an invite to a private program! Invitations are sent out based on researcher performance, so great job on receiving one.
The private invitation email that you received will include the start date and time for the program, the prize pool, number of researchers invited, and the end date and time. See our documentation for more details about this process.
The Bugcrowd Researcher Leaderboard is updated at the beginning of every month. A researcher’s rank on the leaderboard is based on their total number of kudos points earned over all-time and over the previous month.
Kudos points are rewarded to researchers who submit valid vulnerability reports to programs on Bugcrowd. Read our docs to learn more about how kudos points are rewarded and calculated.
All researchers must adhere to the responsible disclosure guidelines that are outlined in the bounty program’s details and rules sections. Bugcrowd’s Disclosure policies apply to all submissions made through the Bugcrowd Platform, including Duplicates, Out of Scope, and Not Applicable submissions. Customers may select Nondisclosure, Coordinated Disclosure, or Custom Disclosure policies to be applied to their program brief. Please refer to our Standard Disclosure Terms for details.
Improper disclosure can result in the researcher being removed from a program and can even result in removal from the Bugcrowd Platform.
If you have any questions about a program’s disclosure policy or process, please contact support and we will be happy to assist you.
Response time can vary by program, with average validation time indicated in the program “Details” tab. Programs with expedited triage times are also indicated as such.
If needed, use the Request a Response (RaR) feature to formally request an update on a submission from either Bugcrowd’s triage team or program owner.
Acceptance Rate is best explained as a comparison of valid to invalid reports. For those that are interested in the details:
Let X = The count of all your valid and duplicate submissions, including P5 won’t-fix
Let Y = The total count of all your submissions, excluding any marked ‘not applicable’, have not yet been reviewed, or have only been triaged but not confirmed.
Acceptance Rate = (X / Y) * 100
It’s a simple ratio of all of your accepted submissions to date, versus all submissions you’ve ever made. We exclude ‘not applicable’ submissions, which are those that have been marked by us or a customer as having been made in genuine and well-intentioned error. (And obviously we don’t include submissions that haven’t been finalized yet!)
Hackers aren’t waiting, so why should you? Contact us today. Or better yet, try Bugcrowd for yourself and see how our Knowledge Security Platform can quickly improve your security posture.