Researcher Documentation

Welcome to the researcherdocs developer hub. You'll find comprehensive guides and documentation to help you start working with researcherdocs as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started

Reviewing Bounty Briefs

A program’s bounty brief tells you everything you need to know about the program, such as the targets, goals, and scope. It defines what is in scope for the bounty and clearly outlines the company's expectations. You must thoroughly review the bounty brief before you start working on a program.

The brief also sets your expectations for reward, indicating if you can earn cash rewards for your vulnerability reports, at what range and an average of how long it may take for your submission to be reviewed and a reward determined, based on previously rewarded bounties.

Viewing the Bounty Brief

To view the bounty brief for a particular program, go to the Programs list.

Click on the name of a program name to view its bounty brief.

The bounty brief will look like a variation of this:

Each bounty brief differs depending on the needs of the company. At a minimum, it tells you the following information:

  • The company overview.
  • The targets you can test.
  • Areas the company wants you to focus on.
  • Areas that are out of scope for testing.
  • Additional rules that you must follow.

Always review the Bounty Brief before beginning testing

This helps prevent Out of Scope submissions.
Reporting a vulnerability against a target not explicitly in scope may result in your report being marked as Out Of Scope, with a penalty of -1 point applied to your profile. If you have any questions about the scope of the program, please contact our support team at support@bugcrowd.com.

Now we'll walk through different parts of the bounty brief you might see on a program.

Program Brief header

Identifying a "Managed by Bugcrowd" program

This designation lets you know who the program is managed by Bugcrowd, meaning our team handles triage and support. The majority of programs on the platform are managed by Bugcrowd.

Following a Program

Following a particular program will provide you with email notifications of any important changes made on that program. These emails will include details on the exact changes made (ie Reward increases, or new targets or exclusions) and will also provide a link to the 'Program Updates' page. There you can find more details on any particular changes made on that specific program.

You will automatically follow a program once you submit your first report to that specific program or upon accepting an invitation to a private program.

For more in-depth information on following a program, see Managing Program Subscriptions.

Reward Ranges

Reward ranges determined by vulnerability technical severity will be outlined in this section. There may also be special conditions for rewards or vulnerabilities.

In Scope Targets

In scope targets are the areas (applications, APIs, hardware, etc) that the Program Owner will accept vulnerability reports towards.

Again, be sure to only submit against in-scope targets to avoid invalid or other submission results. If you have a question, message Support@bugcrowd.com.

Out of scope

Each bounty has a list of targets that are out of scope. These targets must not be tested.

Program Rules

Program rules provide the disclosure terms and outline any specific rules that need to be followed for this program. If you have questions about the program rules, please contact our support team at support@bugcrowd.com.

It may be tempting to share your findings with others, but remember, each program has a disclosure policy that you must respect. Many programs do not want you to share the vulnerabilities that you've discovered with the public. Additionally, talking about a private program with another researcher who may not have been invited to the program is against the policies of Bugcrowd, as it discloses the existence of the program. Be smart, don’t do it.

For more information on disclosure policies for Bugcrowd programs, please see our Public Disclosure Policy page.

Program Updates

This section will provide you with all the recent and past important updates which have been made to the program.

Viewing the Program's Statistics

Each program provides you insights into the rewards that have been distributed and the validation time for submissions.

Viewing Known Issues

This section provides information on previously reported vulnerabilities for the program so that you choose how to concentrate your testing, on other areas that have not been previously reported or by choosing to focus in a specific area more deeply.

For additional information, please review to Viewing Known Issues.

Please note:

You must be signed into the platform in order to be able to view Known Issues available on Public Programs.

Hall of Fame

Finally, Public programs include this section which shows Researchers that are in the Hall of Fame for this program. Read about entering a Program's Hall of Fame in detail.

Reviewing Bounty Briefs


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.