đŸŽŖListing Bug Bounty Program

5-Step process to list your Bug Bounty Program at Com Olho.

Step 1: Create a New Program

After signing up, navigate to the Organization Dashboard and click on "Create New Program." This will open a form where you can enter the initial details of your bug bounty program, setting the foundation for further customization and setup.:

Step 2: Programme's Details:

  • Name: A distinct name for your bug bounty program.

  • Description: Explain the purpose of the program, the products or services in scope, and any other pertinent information.

  • Duration: If your program has a specific start and end date, specify it.

Step 3: Set Targets:

  • Scope: Clearly define what is in-scope and out-of-scope. Researchers need to know what they are allowed to test and what they should avoid.

  • Environment Details: Provide information about testing environments, if you offer them. Provide Target Name, Type, URL and IP.

Step 4: Policy:

  • Allowed Techniques: Specify what types of techniques or methods are allowed when trying to identify vulnerabilities. For example, are researchers allowed to use automated scanners or just manual techniques?

  • Data Handling: Define how any data that's accessed or discovered during the testing process should be handled. Stress that any sensitive data found shouldn't be misused or disclosed.

  • Legal Protections: Provide assurances that researchers who follow the guidelines won't face legal consequences.

Step 5: Rewards:

  • Reward Tiers: Break down rewards by the severity of the bug. For instance:

    • Critical vulnerabilities: $1000-$5000 (or more, depending on the company)

    • High vulnerabilities: $500-$1000

    • Medium vulnerabilities: $100-$500

    • Low vulnerabilities: $50-$100

  • Hall of Fame: Mention if researchers will be recognized in a Hall of Fame or any other public acknowledgment platform.

  • Swag: Detail any non-monetary rewards, like company merchandise, that might be offered.

  • Determining Rewards: State whether the rewards are fixed or if there's any discretion based on the quality of the report or the potential impact of the vulnerability.

Step 6: Participation Guidelines:

  • Reporting: Provide a template or structure on how vulnerabilities should be reported. This ensures uniformity in reports and faster processing.

  • Communication: Set expectations for communication. How should researchers contact you? How often should they expect updates?

  • Responsible Disclosure: Emphasise that researchers should not disclose the vulnerability publicly before an agreed-upon timeframe or before the vulnerability is resolved.

  • Testing Restrictions: If there are certain actions that researchers shouldn't take (like DDoS attacks, or accessing other users' data), this is where you'd specify them.

  • Proof of Concept: If you require researchers to provide a working proof of concept for the vulnerabilities they report, mention it here.

Last updated