Step 1: Register & Create a Profile:

• Sign up on the platform using Link

• Fill in your company's basic information and verify your affiliation with the organization.

• Optionally, add branding elements like logos or banners to make the program page recognisable.

Step 2: Programme's Details:

• Name: A distinct name for your bug bounty program.

• Description: Explain the purpose of the program, the products or services in scope, and any other pertinent information.

• Duration: If your program has a specific start and end date, specify it.

Step 3: Set Targets:

• Scope: Clearly define what is in-scope and out-of-scope. Researchers need to know what they are allowed to test and what they should avoid.

• Environment Details: Provide information about testing environments, if you offer them. Provide Target Name, Type, URL and IP.

Step 4: Policy:

• Allowed Techniques: Specify what types of techniques or methods are allowed when trying to identify vulnerabilities. For example, are researchers allowed to use automated scanners or just manual techniques?

• Data Handling: Define how any data that's accessed or discovered during the testing process should be handled. Stress that any sensitive data found shouldn't be misused or disclosed.

• Legal Protections: Provide assurances that researchers who follow the guidelines won't face legal consequences.

Step 5: Rewards:

• Reward Tiers: Break down rewards by the severity of the bug. For instance:

  • Critical vulnerabilities: $1000-$5000 (or more, depending on the company)

  • High vulnerabilities: $500-$1000

  • Medium vulnerabilities: $100-$500

  • Low vulnerabilities: $50-$100

• Hall of Fame: Mention if researchers will be recognized in a Hall of Fame or any other public acknowledgment platform.

• Swag: Detail any non-monetary rewards, like company merchandise, that might be offered.

• Determining Rewards: State whether the rewards are fixed or if there's any discretion based on the quality of the report or the potential impact of the vulnerability.

Step 6: Participation Guidelines:

• Reporting: Provide a template or structure on how vulnerabilities should be reported. This ensures uniformity in reports and faster processing.

• Communication: Set expectations for communication. How should researchers contact you? How often should they expect updates?

• Responsible Disclosure: Emphasise that researchers should not disclose the vulnerability publicly before an agreed-upon timeframe or before the vulnerability is resolved.

• Testing Restrictions: If there are certain actions that researchers shouldn't take (like DDoS attacks, or accessing other users' data), this is where you'd specify them.

• Proof of Concept: If you require researchers to provide a working proof of concept for the vulnerabilities they report, mention it here.