Reviewing Bounty Briefs

A program’s bounty brief tells you everything you need to know about the program, such as the targets, goals, and scope. It defines what is in scope for the bounty and outlines the company’s expectations. You must thoroughly review the bounty brief before you start working on a program.

The brief also sets your expectations for reward, indicating if you can earn cash rewards for your vulnerability reports, at what range and an average of how long it may take for your submission to be reviewed and a reward determined, based on previously rewarded bounties.

Viewing the Bounty Brief

To view the bounty brief for a particular program, go to the Programs list.

programs-tab

Click on the name of a program name to view its bounty brief.

programs

The bounty brief will look like a variation of this:

bounty-brief

Each bounty brief differs depending on the needs of the company. At a minimum, it tells you the following information:

  • The company overview.
  • The targets you can test.
  • Areas the company wants you to focus on:

    • Areas that are out of scope for testing.
    • Additional rules that you must follow.

Always review the Bounty Brief before beginning testing: This helps prevent Out of Scope submissions. Reporting a vulnerability against a target not explicitly in scope may result in your report being marked as Out Of Scope, with a penalty of -1 point applied to your profile. If you have any questions about the scope of the program, please contact our support team at support@bugcrowd.com.

Now we will walk through different parts of the bounty brief you might see on a program.

Program Brief header

program-brief

Identifying a Managed by Bugcrowd program

managed-by-bugcrowd

This designation lets you know who the program is managed by Bugcrowd, meaning our team handles triage and support. The majority of programs on the platform are managed by Bugcrowd.

Following a Program

follow

Following a particular program will provide you with email notifications of any important changes made on that program. These emails will include details on the exact changes made (ie Reward increases, or new targets or exclusions) and will also provide a link to the ‘Program Updates’ page. There you can find more details on any particular changes made on that specific program.

You will automatically follow a program once you submit your first report to that specific program or upon accepting an invitation to a private program.

For more in-depth information on following a program, see managing program subscriptions.

Reward Ranges

reward-range

Reward ranges determined by vulnerability technical severity will be outlined in this section. There may also be specific conditions for rewards or vulnerabilities.

In Scope Targets

in-scope-targets

In scope targets are the areas (applications, APIs, hardware, etc) that the Program Owner will accept vulnerability reports towards.

Again, be sure to only submit against in-scope targets to avoid invalid or other submission results. If you have a question, message support@bugcrowd.com.

Out of scope

out-of-scope

Each bounty has a list of targets that are out of scope. These targets must not be tested.

Program Rules

program-rules

Program rules provide the disclosure terms and outline any specific rules that need to be followed for this program. If you have questions about the program rules, please contact our support team at support@bugcrowd.com.

It may be tempting to share your findings with others, but remember, each program has a disclosure policy that you must respect. Many programs do not want you to share the vulnerabilities that you’ve discovered with the public. Additionally, talking about a private program with another researcher who may not have been invited to the program is against the policies of Bugcrowd, as it discloses the existence of the program. Be smart, don’t do it.

For more information on disclosure policies for Bugcrowd programs, see our Public Disclosure Policy page.

Program Updates

program-updates

This section will provide you with all the recent and past important updates which have been made to the program.

Viewing the Program’s Statistics

program-statictics

Each program provides you insights into the rewards that have been distributed and the validation time for submissions.

Viewing Known Issues

known-issues

This section provides information on previously reported vulnerabilities for the program so that you choose how to concentrate your testing, on other areas that have not been previously reported or by choosing to focus in a specific area more deeply.

For additional information, see viewing known issues..

You must be signed into the platform in order to be able to view Known Issues available on Public Programs.

Hall of Fame

hall-of-fame

Finally, Public programs include this section which shows Researchers that are in the Hall of Fame for this program. Read about entering a Program’s Hall of Fame in detail.


Account Management
Program Management
Submission Management
Receiving Rewards