A bug bounty is a reward-based vulnerability research program. Rewards are usually defined according to the severity of the bugs. Researchers receive the rewards following the validation of their submitted bug reports.
Bug bounty and vulnerability disclosure programs have been proven to deliver excellent results in finding vulnerabilities. White hat hackers and security researchers are continuously searching for vulnerabilities, whether invited or not. By providing them with a safe harbor to report these vulnerabilities and by rewarding them for doing so, organizations can benefit from continuous testing, while paying only for results. Granting permission for security researcher to test your systems is a quick and cost-effective way to receive more findings.
Vulnerability disclosure programs provide the researchers a safe way to report bugs if they discover outside a defined bounty program. In such case it’s reported over the safe harbor and the company may return with a reward as they seem fit.
Private programs offer organizations the opportunity to utilize the power of our ecosystem for security vulnerability testing –volume of testers, diversity of skill and perspective and a competitive environment. Automated researches find only what it knows, and penetration tests are limited in perspective, in time and effort. Bug bounties are a complementary means for any sophisticated security program.
Public programs are open to all researchers while private programs are limited to vetted researchers. Vetting levels vary to fit the organizations’ risk perspective. Public programs offer the power of a diverse skillset and a more competitive environment.
Companies typically define the bounty scopes around mobile apps, web apps, IoT, cloud services and smart contracts. Researchers are expected to stick with the scope only.
There are various levels of vetting: id check, background check, NDA, face-to-face interviews, legal papers and most importantly being a part of our or a global bounty platform’s leaderboard.
Our blockchain backed platform manages payments to researchers who are the first to identify unique vulnerabilities that are in scope of the Bounty Program. Once the validators and clients review and approve the reported bug, system Bugbounter platform takes care of the rest. Sometimes non-monetary forms of rewards may apply, such as gifts and recognitions. 100% of the announced reward is delivered to the researcher.
Usually most discovered vulnerabilities are be kept confidential. Clients may choose to allow public disclosure of vulnerabilities but are not compelled to do so.