đŖListing Bug Bounty Program
5-Step process to list your Bug Bounty Program at Com Olho.
Last updated
5-Step process to list your Bug Bounty Program at Com Olho.
Last updated
COM OLHO IT PRIVATE LIMITED
Step 1: Create a New Program
After signing up, navigate to the Organization Dashboard and click on "Create New Program." This will open a form where you can enter the initial details of your bug bounty program, setting the foundation for further customization and setup.:
Step 2: Programme's Details:
Name: A distinct name for your bug bounty program.
Description: Explain the purpose of the program, the products or services in scope, and any other pertinent information.
Duration: If your program has a specific start and end date, specify it.
Step 3: Set Targets:
Scope: Clearly define what is in-scope and out-of-scope. Researchers need to know what they are allowed to test and what they should avoid.
Environment Details: Provide information about testing environments, if you offer them. Provide Target Name, Type, URL and IP.
Step 4: Policy:
Allowed Techniques: Specify what types of techniques or methods are allowed when trying to identify vulnerabilities. For example, are researchers allowed to use automated scanners or just manual techniques?
Data Handling: Define how any data that's accessed or discovered during the testing process should be handled. Stress that any sensitive data found shouldn't be misused or disclosed.
Legal Protections: Provide assurances that researchers who follow the guidelines won't face legal consequences.
Step 5: Rewards:
Reward Tiers: Break down rewards by the severity of the bug. For instance:
Critical vulnerabilities: $1000-$5000 (or more, depending on the company)
High vulnerabilities: $500-$1000
Medium vulnerabilities: $100-$500
Low vulnerabilities: $50-$100
Hall of Fame: Mention if researchers will be recognized in a Hall of Fame or any other public acknowledgment platform.
Swag: Detail any non-monetary rewards, like company merchandise, that might be offered.
Determining Rewards: State whether the rewards are fixed or if there's any discretion based on the quality of the report or the potential impact of the vulnerability.
Step 6: Participation Guidelines:
Reporting: Provide a template or structure on how vulnerabilities should be reported. This ensures uniformity in reports and faster processing.
Communication: Set expectations for communication. How should researchers contact you? How often should they expect updates?
Responsible Disclosure: Emphasise that researchers should not disclose the vulnerability publicly before an agreed-upon timeframe or before the vulnerability is resolved.
Testing Restrictions: If there are certain actions that researchers shouldn't take (like DDoS attacks, or accessing other users' data), this is where you'd specify them.
Proof of Concept: If you require researchers to provide a working proof of concept for the vulnerabilities they report, mention it here.
