You can reward a researcher at any point in the submission process. However, it is recommended that you reward researchers when you change a submission status from “Triaged” to “Unresolved.” At this point, you have indicated internally that the submission is valid and needs to be fixed, which means that the researcher’s job of finding the vulnerability is done and they should be rewarded for their work.
To reward a researcher, go to the Submissions Page and select the submission you want to Reward.
Click on the Add Reward button located in the Submission Settings.
A pop-up appears and displays the recommended amount you should pay the researcher. This amount is based on the priority assigned to the submission and Bugcrowd’s Vulnerability Rating Taxonomy. You can pay the recommended amount or enter a custom amount in the Reward amount field.
If you want to include a message to the researcher, you can use the Note to researcher field. For example, you may want to send a congratulatory message or a provide a reason for the amount rewarded.
When you are ready to pay out the reward, click the “Pay” button.
The researcher will receive a notification of the reward and your bounty pool will be debited for the amount.
Important: Before you pay out the reward, make sure that you have thoroughly validated the submission and have selected the appropriate amount to reward the researcher. You cannot change the reward after you click Pay.
Calculating the Worth of a Bug
Bugcrowd provides a recommended reward based on the priority that you assign to the submission. You can tweak the payment as needed. For an overview of what goes into setting the appropriate budget and reward range for your bounty program, read this article.
An alert will appear if you reward the researcher an amount outside the recommended range. To continue with the amount, you must provide a note to the researcher. If you do not, you will not be able to submit the reward.
Additional Bonus Rewards or Tips
A researcher will often make an additional effort to help you remediate and retest a fixed vulnerability–even after you have paid them out for the original submission. For additional work, we recommend organizations to add an additional bonus for the researcher’s time and efforts.
To add an additional bonus on top of the researcher’s bounty reward:
- Go to the submission you want to reward.
- Click the Add Additional Reward button.
- When the additional reward pop-up appears, select an amount from the list or enter a different amount in the custom field.
- When you are ready to award the reward, click Pay.
You can reward the researcher as many times as you need. From the “Add Additional Reward” window, you’ll be able to see the amount that has already been paid to the researcher and what the new cumulative total will be.