Assigning Bounties
Last updated
Was this helpful?
Last updated
Was this helpful?
Assigning bounties is a way for program managers to reward security researchers for their contributions in finding and reporting vulnerabilities. These bounties are monetary rewards given to security researchers for identifying and reporting valid vulnerabilities.
In BugBase, program managers can assign bounties to hackers through the "Assign Reward" feature. This feature allows managers to choose the bounty amount and assign it to the hacker. Program managers can set up different bounty amounts based on the type or severity of vulnerabilities.
Navigate to the Report:
Open the specific report page to which you want to assign the bounty.
Click on "Assign Rewards":
At the top of the report page, click the "Assign Rewards" button.
Select Reward Type:
Choose either:
Bounty Only: Assign only a monetary reward.
Bounty + Swag: Assign a monetary reward along with swag to the security researcher.
Enter Bounty Details:
Enter the bounty amount manually or select from predefined bounty amounts.
Save Changes:
Click "Save Changes" to finalize and assign the bounty.
Bounties are assigned in the public currency selected by the program admin for the program.
At the time of assignment, the public currency is converted to the banking currency.
Learn more about public currency, preferred currency, and banking currency here.
Once a bounty is assigned to a report, it cannot be modified. However, program managers can assign a bonus to the security researcher as an additional reward.
Click the "Assign Rewards" button again.
Select the option to assign a bonus.
Enter the bonus amount.
Click "Save Changes" to confirm.
When vulnerabilities are reported collaboratively by multiple hackers, BugBase automatically splits the bounty among the contributors. The split is based on the percentage of contribution decided by the hackers themselves.
Follow Program Policy:
Award bounties as per the program's guidelines. Ensure the report is valid and non-duplicate before assigning the bounty.
Reward Significant Out-of-Scope Findings:
Consider awarding bounties for out-of-scope vulnerabilities if they have a significant impact.
Communicate Clearly:
If the awarded bounty differs from the program policy or if a bounty is declined, provide clear explanations to hackers. This offers valuable feedback and encourages better submissions in the future.
Company Admins can configure bounty approval settings under Company Dashboard > Settings > Access > People.
When bounty approval is required:
Bounties wonβt be directly assigned.
The bounty assignment can either be accepted or declined by members who have the necessary permissions.
