Comment on page

Listing Bug Bounty Program

5-Step process to list your Bug Bounty Program at Com Olho.
Step 1: Register & Create a Profile:
  • Sign up on the platform using Link
  • Fill in your company's basic information and verify your affiliation with the organization.
  • Optionally, add branding elements like logos or banners to make the program page recognisable.
Step 2: Programme's Details:
  • Name: A distinct name for your bug bounty program.
  • Description: Explain the purpose of the program, the products or services in scope, and any other pertinent information.
  • Duration: If your program has a specific start and end date, specify it.
Programme Details
Step 3: Set Targets:
  • Scope: Clearly define what is in-scope and out-of-scope. Researchers need to know what they are allowed to test and what they should avoid.
  • Environment Details: Provide information about testing environments, if you offer them. Provide Target Name, Type, URL and IP.
Set Targets
Step 4: Policy:
  • Allowed Techniques: Specify what types of techniques or methods are allowed when trying to identify vulnerabilities. For example, are researchers allowed to use automated scanners or just manual techniques?
  • Data Handling: Define how any data that's accessed or discovered during the testing process should be handled. Stress that any sensitive data found shouldn't be misused or disclosed.
  • Legal Protections: Provide assurances that researchers who follow the guidelines won't face legal consequences.
Step 5: Rewards:
  • Reward Tiers: Break down rewards by the severity of the bug. For instance:
    • Critical vulnerabilities: $1000-$5000 (or more, depending on the company)
    • High vulnerabilities: $500-$1000
    • Medium vulnerabilities: $100-$500
    • Low vulnerabilities: $50-$100
  • Hall of Fame: Mention if researchers will be recognized in a Hall of Fame or any other public acknowledgment platform.
  • Swag: Detail any non-monetary rewards, like company merchandise, that might be offered.
  • Determining Rewards: State whether the rewards are fixed or if there's any discretion based on the quality of the report or the potential impact of the vulnerability.
Step 6: Participation Guidelines:
  • Reporting: Provide a template or structure on how vulnerabilities should be reported. This ensures uniformity in reports and faster processing.
  • Communication: Set expectations for communication. How should researchers contact you? How often should they expect updates?
  • Responsible Disclosure: Emphasise that researchers should not disclose the vulnerability publicly before an agreed-upon timeframe or before the vulnerability is resolved.
  • Testing Restrictions: If there are certain actions that researchers shouldn't take (like DDoS attacks, or accessing other users' data), this is where you'd specify them.
  • Proof of Concept: If you require researchers to provide a working proof of concept for the vulnerabilities they report, mention it here.
Participation Guidelines