Frequently Asked Questions

    What is a Bug Bounty program?

    A bug bounty is a reward-based vulnerability research program. Rewards are usually defined according to the severity of the bugs. Researchers receive the rewards following the validation of their submitted bug reports.

    Why do we need bug bounty programs?

    Bug bounty and vulnerability disclosure programs have been proven to deliver excellent results in finding vulnerabilities. White hat hackers and security researchers are continuously searching for vulnerabilities, whether invited or not. By providing them with a safe harbor to report these vulnerabilities and by rewarding them for doing so, organizations can benefit from continuous testing, while paying only for results. Granting permission for security researcher to test your systems is a quick and cost-effective way to receive more findings.

    What is a Vulnerability Disclosure Program?

    Vulnerability disclosure programs provide the researchers a safe way to report bugs if they discover outside a defined bounty program. In such case it’s reported over the safe harbor and the company may return with a reward as they seem fit.

    How do bug bounties compare with penetration testing?

    Private programs offer organizations the opportunity to utilize the power of our ecosystem for security vulnerability testing –volume of testers, diversity of skill and perspective and a competitive environment. Automated researches find only what it knows, and penetration tests are limited in perspective, in time and effort. Bug bounties are a complementary means for any sophisticated security program.

    What’s the difference between public and private programs?

    Public programs are open to all researchers while private programs are limited to vetted researchers. Vetting levels vary to fit the organizations’ risk perspective. Public programs offer the power of a diverse skillset and a more competitive environment.

    What can be tested in a bounty program?

    Companies typically define the bounty scopes around mobile apps, web apps, IoT, cloud services and smart contracts. Researchers are expected to stick with the scope only.

    How does a researcher become vetted?

    There are various levels of vetting: id check, background check, NDA, face-to-face interviews, legal papers and most importantly being a part of our or a global bounty platform’s leaderboard.

    How are researchers compensated for their services?

    Our blockchain backed platform manages payments to researchers who are the first to identify unique vulnerabilities that are in scope of the Bounty Program. Once the validators and clients review and approve the reported bug, system Bugbounter platform takes care of the rest. Sometimes non-monetary forms of rewards may apply, such as gifts and recognitions. 100% of the announced reward is delivered to the researcher.

    Are the bugs found by the researchers publicly announced?

    Usually most discovered vulnerabilities are be kept confidential. Clients may choose to allow public disclosure of vulnerabilities but are not compelled to do so.