đŖListing Bug Bounty Program
5-Step process to list your Bug Bounty Program at Com Olho.
Step 1: Register & Create a Profile:
Sign up on the platform using Link
Fill in your company's basic information and verify your affiliation with the organization.
Optionally, add branding elements like logos or banners to make the program page recognisable.
Step 2: Programme's Details:
Name: A distinct name for your bug bounty program.
Description: Explain the purpose of the program, the products or services in scope, and any other pertinent information.
Duration: If your program has a specific start and end date, specify it.
Step 3: Set Targets:
Scope: Clearly define what is in-scope and out-of-scope. Researchers need to know what they are allowed to test and what they should avoid.
Environment Details: Provide information about testing environments, if you offer them. Provide Target Name, Type, URL and IP.
Step 4: Policy:
Allowed Techniques: Specify what types of techniques or methods are allowed when trying to identify vulnerabilities. For example, are researchers allowed to use automated scanners or just manual techniques?
Data Handling: Define how any data that's accessed or discovered during the testing process should be handled. Stress that any sensitive data found shouldn't be misused or disclosed.
Legal Protections: Provide assurances that researchers who follow the guidelines won't face legal consequences.
Step 5: Rewards:
Reward Tiers: Break down rewards by the severity of the bug. For instance:
Critical vulnerabilities: $1000-$5000 (or more, depending on the company)
High vulnerabilities: $500-$1000
Medium vulnerabilities: $100-$500
Low vulnerabilities: $50-$100
Hall of Fame: Mention if researchers will be recognized in a Hall of Fame or any other public acknowledgment platform.
Swag: Detail any non-monetary rewards, like company merchandise, that might be offered.
Determining Rewards: State whether the rewards are fixed or if there's any discretion based on the quality of the report or the potential impact of the vulnerability.
Step 6: Participation Guidelines:
Reporting: Provide a template or structure on how vulnerabilities should be reported. This ensures uniformity in reports and faster processing.
Communication: Set expectations for communication. How should researchers contact you? How often should they expect updates?
Responsible Disclosure: Emphasise that researchers should not disclose the vulnerability publicly before an agreed-upon timeframe or before the vulnerability is resolved.
Testing Restrictions: If there are certain actions that researchers shouldn't take (like DDoS attacks, or accessing other users' data), this is where you'd specify them.
Proof of Concept: If you require researchers to provide a working proof of concept for the vulnerabilities they report, mention it here.
Last updated