Setting Program Reward Ranges

Setting a range for bounties is a great way to align expectations between you and the researcher community. Added granularity is encouraged to provide clarity of a potential payout. Clear payout ranges provide researchers with an understanding of the potential return on investment (ROI) and help dictate where they focus their testing efforts.

Crowdcontrol makes it easy to communicate clear reward ranges directly on your bounty brief, based on the technical severity of the vulnerability.

program-brief

Set Prior to Program Launch: Reward ranges may only be set by the Owner, Admin, or Analyst prior to the program going live. Once the program is live, please submit a support ticket through the Bugcrowd Support Portal to get assistance with editing the reward range.

To set up bounty reward ranges on your program brief follow the steps below:

  1. Navigate to the Settings page. Navigating to the settings page will bring you to the program brief tab.

    settings

  2. Scroll to Program Rewards.

    program-rewards

  3. Set a Maximum Advertised Payout. This maximum payout will be visible to the researcher upon invite to a private program. Providing researchers insight into the maximum payout is helpful information to help them decide whether they’d like to participate in your program and ensures those who accept the invitation, will be actively testing.

    max-advertised-payout

  4. Set reward ranges for each technical severity.

    There are a few options when setting reward ranges:

    • You can set a minimum and maximum for a specific severity by filling in both the Low Reward and High Reward field.

    tech-severity

    The reward range will be displayed in the program brief as seen on the image below.

    range

    • You can set a range up to a specific amount for a specific severity by filling in the High Reward field and leaving the Low Reward field empty.

    high-reward

    The reward range will be displayed in the program brief as seen on the image below.

    severity

    • You can set a range to start at a specific amount for a specific severity by filling in the Low Reward field and leaving the High Reward field empty.

    p4-low

    The reward range will be displayed in the program brief as seen on the image below.

    low

    • Or, if you wish to not pay for a specified vulnerability severity, leave the field blank.

    p4-informational

    If left blank, a notification below the reward range will highlight which severity levels will not receive rewards. Researchers will still receive the appropriate kudos points for these submissions.

    p4-message

    On-demand Programs: For On-demand programs, you must specify both Low Reward (minimum) and High Reward (maximum) for a priority level. When the program closes, the reward pool is divided based on a calculation. Hence, the minimum and maximum values sets the limit on how the reward pool is divided.

  5. Update the Program.

    update-program

Onboarding Expand to see sub-pages
Account Management Expand to see sub-pages
Security Program Management Expand to see sub-pages
Engagement Management Expand to see sub-pages
Reporting Expand to see sub-pages
Submission Management Expand to see sub-pages
Integration Management Expand to see sub-pages
Visit bugcrowd.com