Comment on page
Listing Bug Bounty Program
5-Step process to list your Bug Bounty Program at Com Olho.
Step 1: Register & Create a Profile:
- Fill in your company's basic information and verify your affiliation with the organization.
- Optionally, add branding elements like logos or banners to make the program page recognisable.
Step 2: Programme's Details:
- Name: A distinct name for your bug bounty program.
- Description: Explain the purpose of the program, the products or services in scope, and any other pertinent information.
- Duration: If your program has a specific start and end date, specify it.
Step 3: Set Targets:
- Scope: Clearly define what is in-scope and out-of-scope. Researchers need to know what they are allowed to test and what they should avoid.
- Environment Details: Provide information about testing environments, if you offer them. Provide Target Name, Type, URL and IP.
Step 4: Policy:
- Allowed Techniques: Specify what types of techniques or methods are allowed when trying to identify vulnerabilities. For example, are researchers allowed to use automated scanners or just manual techniques?
- Data Handling: Define how any data that's accessed or discovered during the testing process should be handled. Stress that any sensitive data found shouldn't be misused or disclosed.
- Legal Protections: Provide assurances that researchers who follow the guidelines won't face legal consequences.
Step 5: Rewards:
- Reward Tiers: Break down rewards by the severity of the bug. For instance:
- Critical vulnerabilities: $1000-$5000 (or more, depending on the company)
- High vulnerabilities: $500-$1000
- Medium vulnerabilities: $100-$500
- Low vulnerabilities: $50-$100
- Hall of Fame: Mention if researchers will be recognized in a Hall of Fame or any other public acknowledgment platform.
- Swag: Detail any non-monetary rewards, like company merchandise, that might be offered.
- Determining Rewards: State whether the rewards are fixed or if there's any discretion based on the quality of the report or the potential impact of the vulnerability.
Step 6: Participation Guidelines:
- Reporting: Provide a template or structure on how vulnerabilities should be reported. This ensures uniformity in reports and faster processing.
- Communication: Set expectations for communication. How should researchers contact you? How often should they expect updates?
- Responsible Disclosure: Emphasise that researchers should not disclose the vulnerability publicly before an agreed-upon timeframe or before the vulnerability is resolved.
- Testing Restrictions: If there are certain actions that researchers shouldn't take (like DDoS attacks, or accessing other users' data), this is where you'd specify them.
- Proof of Concept: If you require researchers to provide a working proof of concept for the vulnerabilities they report, mention it here.