A program’s bounty brief tells you everything you need to know about the program, such as the targets, goals, and scope. It defines what is in scope for the bounty and clearly outlines the company's expectations. You must thoroughly review the bounty brief before you start working on a program.
The brief also sets your expectations for reward, indicating if you can earn cash rewards for your vulnerability reports, at what range and an average of how long it may take for your submission to be reviewed and a reward determined, based on previously rewarded bounties.
To view the bounty brief for a particular program, go to the Programs list.
Click on the name of a program name to view its bounty brief.
The bounty brief will look like a variation of this:
Each bounty brief differs depending on the needs of the company. At a minimum, it tells you the following information:
- The company overview.
- The targets you can test.
- Areas the company wants you to focus on.
- Areas that are out of scope for testing.
- Additional rules that you must follow.
Always review the Bounty Brief before beginning testing
This helps prevent Out of Scope submissions.
Reporting a vulnerability against a target not explicitly in scope may result in your report being marked as Out Of Scope, with a penalty of -1 point applied to your profile. If you have any questions about the scope of the program, please contact our support team at firstname.lastname@example.org.
Now we'll walk through different parts of the bounty brief you might see on a program.
This designation lets you know who the program is managed by Bugcrowd, meaning our team handles triage and support. The majority of programs on the platform are managed by Bugcrowd.
Following a particular program will provide you with email notifications of any important changes made on that program. These emails will include details on the exact changes made (ie Reward increases, or new targets or exclusions) and will also provide a link to the 'Program Updates' page. There you can find more details on any particular changes made on that specific program.
You will automatically follow a program once you submit your first report to that specific program or upon accepting an invitation to a private program.
For more in-depth information on following a program, see Managing Program Subscriptions.
Reward ranges determined by vulnerability technical severity will be outlined in this section. There may also be special conditions for rewards or vulnerabilities.
In scope targets are the areas (applications, APIs, hardware, etc) that the Program Owner will accept vulnerability reports towards.
Again, be sure to only submit against in-scope targets to avoid invalid or other submission results. If you have a question, message Support@bugcrowd.com.
Each bounty has a list of targets that are out of scope. These targets must not be tested.
Program rules provide the disclosure terms and outline any specific rules that need to be followed for this program. If you have questions about the program rules, please contact our support team at email@example.com.
It may be tempting to share your findings with others, but remember, each program has a disclosure policy that you must respect. Many programs do not want you to share the vulnerabilities that you've discovered with the public. Additionally, talking about a private program with another researcher who may not have been invited to the program is against the policies of Bugcrowd, as it discloses the existence of the program. Be smart, don’t do it.
For more information on disclosure policies for Bugcrowd programs, please see our Public Disclosure Policy page.
This section will provide you with all the recent and past important updates which have been made to the program.
Each program provides you insights into the rewards that have been distributed and the validation time for submissions.
This section provides information on previously reported vulnerabilities for the program so that you choose how to concentrate your testing, on other areas that have not been previously reported or by choosing to focus in a specific area more deeply.
For additional information, please review to Viewing Known Issues.
You must be signed into the platform in order to be able to view Known Issues available on Public Programs.
Finally, Public programs include this section which shows Researchers that are in the Hall of Fame for this program. Read about entering a Program's Hall of Fame in detail.