Earning Cash Rewards
If a program offers cash rewards, it means that they are willing to pay you for a valid bug. A valid bug is a security vulnerability that is in scope as per the bounty brief and can be reproduced by the triaging Application Security Engineer (ASE) or Program Owner.
To qualify for a cash reward, you must be the first Researcher to report the vulnerability. It cannot be a duplicate of a report someone else has already reported or a known issue which has been imported by the Program Owner.
You will know your submission has been accepted as valid when its status changes from Triaged
to Unresolved
. When this happens, the Program Owner will reward your submission. You will receive an e-mail notification that your submission has been accepted and you have been rewarded for your efforts.
The Program Owner sets the reward amount with Bugcrowd’s input. It is typically based on the current market rate for the priority assigned to the submission and the impact of the submission for the business. This rate varies, but generally, vulnerabilities with a higher priority rating are rewarded more.
Rewards vary by program.
The final status of the report is determined by the Program Owner. If you disagree with the final status of your report and have made at least 1 attempt to resolve this with the Program Owner please create a support ticket through the Bugcrowd Support Portal.
Earning Kudos Points for Valid Bugs
You are rewarded points for each valid accepted report. You must be the first person to report the bug to earn all possible points.
Each bug is rated on a priority scale of P1 - P5 according to Bugcrowd’s VRT, with points rewarded accordingly:
Priority | Level | Points Earned |
---|---|---|
P1 | Critical | 40 points |
P2 | High | 20 points |
P3 | Moderate | 10 points |
P4 | Low | 5 points |
P5 | Non-exploitable weaknesses | 0 points |
Earning Points for Duplicate Bugs
Points are also rewarded for duplicate submissions based on its severity. Points are rewarded for a duplicate submission when the original bug is accepted by the Program Owner.
Priority | Level | Points Earned |
---|---|---|
P1 | Critical | 10 points |
P2 | High | 5 points |
P3 | Moderate | 0 points |
P4 | Low | 0 points |
P5 | Non-exploitable weaknesses | 0 points |
If you have questions about points, submit a support ticket through the Bugcrowd Support Portal.
For more detailed information about the prioritization of a vulnerability, see Bugcrowd VRT.