BugBase Documentation
  • 👋Welcome to BugBase Docs
  • Overview
    • 💡What we do
    • ⚡Changelogs
    • ✨Our Features
    • 📂Programs at BugBase
      • Vulnerability Disclosure Program (VDP)
      • Bug Bounty Program
      • Private Bounty Program
      • Pentest Program (VAPT)
  • Report Lifecycle
    • Bug Report
    • Report Status
  • How To
    • 👨‍💻Invite Organization Members to BugBase (RBAC)
    • 🚩Setup a Campaign for better program engagement
    • 🐛Submit a Bug Report on BugBase
    • 📑Create a Bug Bounty Program on BugBase
    • ⬇️Download the mobile app
  • Company Guide
    • 👨‍💼Create a Company Account
    • 🧭Navigation
    • 🛡️Assets Dashboard
    • 🗝️Credential Vaults
      • Creating a Credential Vault
      • Adding Credentials to Vault
      • Connect Credential Vault to an Asset
      • Require Whitelisting for a Credential
    • 🔐VPN Servers
      • Create, Configure and Deploy VPN server
      • Monitor Live Statistics and Logs
    • 🗂️Programs Dashboard
      • ⛳Create a Program
    • 📢Customer Support
    • 💵Bounty Bin
    • ⚙️Company Settings
      • 👨‍🏫Profile
      • 🏢Organisation
      • 👨‍🏭Roles and Permissions
      • 🔐Security & Authentication
        • Multi-Factor Authentication
        • SSO with SAML
          • Okta SSO setup via SAML
          • Google SSO setup via SAML
      • 🎨Customization
        • Automations
        • Report Tags
      • 📙Manage Access
    • 📈Insights Dashboard
    • 🔊Campaigns
    • 💲Understanding Currencies Used in BugBase
    • 🤝Whitelist
  • Program guide
    • Bug Bounty Dashboard
      • Program Reports Section
        • Report Components
        • Report Actions
        • Duplicating Reports
        • Assigning Swags
        • Assigning Bounties
        • Assigning Thanks to Reporters
        • Assigning Bonus Bounty
        • Automatic Response Generator using ChatGPT
      • Program Policy
        • Editing Program Policy
          • Best Practices For Designing Policy
          • Best Practices For Bounty Tables
      • Payouts
      • Settings
    • Private Bug Bounty Dashboard
      • Invite Hackers
      • Manage Credentials
    • VDP Dashboard
    • Pentest Dashboard
      • Pentest Overview
      • Vulnerabilities Section
        • Pentest Report Components
        • Pentest Report Actions
      • Global Pentest Chat
    • Competition Dashboard
      • Dashboard
      • Creating a Competition
        • Adding Challenges
      • Manage Competitions
        • Statistics
        • Leaderboard
        • Manage Users
  • Bounty Hunter Guide
    • Bounty Hunter Dashboard
    • Bounty Hunter Profile
    • Programs Directory
      • Program Policy Page
      • Credentials
      • VPN Access
      • Whitelist
      • Collaborate
    • Bounty Hunter Reports Section
      • Submitting Reports
      • Interaction with Program Representees
      • Collaboration
      • Response Generation through ChatGPT on Report Chat
    • Competitions
    • Discord Community
    • Leaderboard
    • Multi-Factor Authentication
    • Settings
      • Verify KYC
    • Email Alias
    • 🚀Apollo Community
  • Integrations
    • 🔗Supported Integrations
    • Webhooks
    • JIRA
      • Creating a JIRA Issue
    • Slack
      • Managing Integration
    • Microsoft Teams
    • Github
    • Asana
    • Sumo Logic
    • PagerDuty
  • on-premise
    • Running Automated Testing
    • Sandbox Environment
Powered by GitBook
On this page

Was this helpful?

  1. Program guide
  2. Bug Bounty Dashboard
  3. Program Policy
  4. Editing Program Policy

Best Practices For Designing Policy

A bug bounty policy is a document that outlines the rules, rewards, and expectations of a bug bounty program. It is typically created by an organization or company to encourage ethical hackers and security researchers to identify and report vulnerabilities in their software or web applications.

The policy typically includes information such as the scope of the program (what assets or systems are in-scope and out-of-scope), the types of vulnerabilities that are eligible for rewards, the rewards offered for different types of vulnerabilities, and the process for submitting and validating reports.

It also includes details like the rules of engagement, how and when rewards will be paid, and the process for disclosing vulnerabilities. Bug bounty policy is an important document as it sets the tone and rules for the bug bounty program and helps to attract and retain top hackers.

Here are some best practices for writing a good program policy for a bug bounty platform:

  1. Be clear and concise: A good program policy should be clear and concise, making it easy for hackers to understand what is in scope, what is out of scope, and what rewards they can expect for different types of vulnerabilities.

  2. Define scope clearly: Clearly define the scope of your program, including in-scope and out-of-scope assets and vulnerabilities. This will help hackers focus their efforts on the areas of the application that are most important to your organization.

  3. Reward system: Clearly define your reward system, including the types of rewards offered, the criteria for earning rewards, and the process for submitting and validating reports.

  4. Communication: Clearly communicate your program policy to all potential hackers, and make sure that they understand the rules and expectations.

  5. Policy review: Regularly review and update your program policy to reflect changes in the threat landscape and the evolving needs of your organization.

  6. Be fair and consistent: Be fair and consistent in your rewards and be transparent about the criteria for earning them.

  7. Be transparent with hackers: Transparently communicate your decision-making process in regards to triaging, validating and rewarding hackers.

  8. Be open to feedback and suggestions: Be open to feedback and suggestions from hackers to improve your program and policy.

By following these best practices, you can create a program policy that is clear, fair, and effective in incentivizing hackers to find and report vulnerabilities in your application.

PreviousEditing Program PolicyNextBest Practices For Bounty Tables

Last updated 1 year ago

Was this helpful?