A program’s bounty brief tells you everything you need to know about the program, such as the targets, goals, and scope. It defines what is in scope for the bounty and clearly outlines the company's expectations. You must thoroughly review the bounty brief before you start working on a program.
The brief also sets your expectations for reward, indicating if you can earn cash rewards for your vulnerability reports, at what range and an average of how long it may take for your submission to be reviewed and a reward determined, based on previously rewarded bounties.
To view the bounty brief for a particular program, go to the Programs list.
Click on the name of a program name to view its bounty brief.
Each bounty brief differs depending on the needs of the company. At a minimum, it tells you the following information:
- The company overview
- The targets you can test
- Areas the company wants you to focus on
- Areas that are out of scope for testing
- Additional rules that you must follow
Targets are the applications that the company wants you to test.
Each bounty has a list of targets that are in scope and any information that you may need to access them. Anything that is not listed as a target should not be tested. If you have any questions about the scope of the program, please feel free to contact our support team at email@example.com.
Each program provides you insights into the rewards that have been distributed and the validation time for submissions.
It may be tempting to share your findings with others, but remember, each program has a disclosure policy that you must respect. Some programs do not want you to share the vulnerabilities that you've discovered with the public.
For more information on disclosure policies for Bugcrowd programs, please see our Public Disclosure Policy.