You can reward a researcher at any point in the submission process. However, it is recommended that you reward researchers when you change a submission status from “Triaged” to “Unresolved”. At this point, you have indicated internally that the submission is valid and needs to be fixed, which means that the researcher’s job of finding the vulnerability is done and they should be rewarded for their work.
Important: Payments are processed every business day. You can read more about our business days here.
To reward a researcher, go to the Submissions Page and select the submission you want to Reward.
Click on the Add Reward button located in the Submission Settings.
A pop-up appears and displays the recommended amount you should pay the researcher. This amount is based on the priority assigned to the submission and Bugcrowd’s Vulnerability Rating Taxonomy. You can pay the recommended amount or enter a custom amount in the Reward amount field.
If you want to include a message to the researcher, you can use the Note to researcher field. For example, you may want to send a congratulatory message or a provide a reason for the amount rewarded.
When you are ready to pay out the reward, click the “Pay” button.
The researcher will receive a notification of the reward and your bounty pool will be debited for the amount.
Important: Before you pay out the reward, make sure that you have thoroughly validated the submission and have selected the appropriate amount to reward the researcher. You cannot change the reward after you click Pay.
Calculating the Worth of a Bug
Bugcrowd provides a recommended reward based on the priority that you assign to the submission. You can tweak the payment as needed. For an overview of what goes into setting the appropriate budget and reward range for your bounty program, read this article.
An alert will appear if you reward the researcher an amount outside the recommended range. To continue with the amount, you must provide a note to the researcher. If you do not, you will not be able to submit the reward.
Additional Bonus Rewards or Tips
A researcher will often make an additional effort to help you remediate and retest a fixed vulnerability–even after you have paid them out for the original submission. For additional work, we recommend organizations to add an additional bonus for the researcher’s time and efforts.
To add an additional bonus on top of the researcher’s bounty reward:
- Go to the submission you want to reward.
- Click the Add Additional Reward button.
- When the additional reward pop-up appears, select an amount from the list or enter a different amount in the custom field.
- When you are ready to award the reward, click Pay.
You can reward the researcher as many times as you need. From the “Add Additional Reward” window, you’ll be able to see the amount that has already been paid to the researcher and what the new cumulative total will be.
Cancelling a Reward
Sometimes you may need to cancel a reward that you have set for a researcher. It could be due to incorrect amount, incorrect researcher, or any other reason. Bugcrowd provides you with the option to cancel a set reward within 8 hours.
To cancel a reward you have set, follow these steps:
- Select the submission for which you want to cancel the reward.
- Go to the Rewards tab.
Scroll down to the Reward History section. You will see a list of all the rewards. In the Actions column you have the option to Cancel reward.
Click the Cancel reward button. A pop-up with Reason and Comment appears.
- Select the Reason, add Comments, and click the Cancel reward button.