Assigning Bounties

PreviousAssigning Swags NextAssigning Thanks to Reporters

Last updated 5 months ago

Was this helpful?

Assigning Bounties

Assigning bounties is a way for program managers to reward security researchers for their contributions in finding and reporting vulnerabilities. These bounties are monetary rewards given to security researchers for identifying and reporting valid vulnerabilities.

In BugBase, program managers can assign bounties to hackers through the "Assign Reward" feature. This feature allows managers to choose the bounty amount and assign it to the hacker. Program managers can set up different bounty amounts based on the type or severity of vulnerabilities.

Steps to Assign a Bounty

Navigate to the Report:
- Open the specific report page to which you want to assign the bounty.
Click on "Assign Rewards":
- At the top of the report page, click the "Assign Rewards" button.
Select Reward Type:
- Choose either:
  - Bounty Only: Assign only a monetary reward.
  - Bounty + Swag: Assign a monetary reward along with swag to the security researcher.
Enter Bounty Details:
- Enter the bounty amount manually or select from predefined bounty amounts.
Save Changes:
- Click "Save Changes" to finalize and assign the bounty.

Currency for Bounties

Bounties are assigned in the public currency selected by the program admin for the program.
At the time of assignment, the public currency is converted to the banking currency.

Assigning Bonuses

Once a bounty is assigned to a report, it cannot be modified. However, program managers can assign a bonus to the security researcher as an additional reward.

To assign a bonus:

Click the "Assign Rewards" button again.
Select the option to assign a bonus.
Enter the bonus amount.
Click "Save Changes" to confirm.

Collaborative Reports

When vulnerabilities are reported collaboratively by multiple hackers, BugBase automatically splits the bounty among the contributors. The split is based on the percentage of contribution decided by the hackers themselves.

Best Practices for Awarding Bounties

Follow Program Policy:
- Award bounties as per the program's guidelines. Ensure the report is valid and non-duplicate before assigning the bounty.
Reward Significant Out-of-Scope Findings:
- Consider awarding bounties for out-of-scope vulnerabilities if they have a significant impact.
Communicate Clearly:
- If the awarded bounty differs from the program policy or if a bounty is declined, provide clear explanations to hackers. This offers valuable feedback and encourages better submissions in the future.

Approval for Bounty Assignment:

Company Admins can configure bounty approval settings under Company Dashboard > Settings > Access > People.
When bounty approval is required:
- Bounties won’t be directly assigned.
- The bounty assignment can either be accepted or declined by members who have the necessary permissions.

PreviousAssigning Swags NextAssigning Thanks to Reporters

Last updated 5 months ago

Was this helpful?

Steps to Assign a Bounty

Navigate to the Report:
- Open the specific report page to which you want to assign the bounty.
Click on "Assign Rewards":
- At the top of the report page, click the "Assign Rewards" button.
Select Reward Type:
- Choose either:
  - Bounty Only: Assign only a monetary reward.
  - Bounty + Swag: Assign a monetary reward along with swag to the security researcher.
Enter Bounty Details:
- Enter the bounty amount manually or select from predefined bounty amounts.
Save Changes:
- Click "Save Changes" to finalize and assign the bounty.

Currency for Bounties

Bounties are assigned in the public currency selected by the program admin for the program.
At the time of assignment, the public currency is converted to the banking currency.

Assigning Bonuses

Once a bounty is assigned to a report, it cannot be modified. However, program managers can assign a bonus to the security researcher as an additional reward.

To assign a bonus:

Click the "Assign Rewards" button again.
Select the option to assign a bonus.
Enter the bonus amount.
Click "Save Changes" to confirm.

Collaborative Reports

Best Practices for Awarding Bounties

Follow Program Policy:
- Award bounties as per the program's guidelines. Ensure the report is valid and non-duplicate before assigning the bounty.
Reward Significant Out-of-Scope Findings:
- Consider awarding bounties for out-of-scope vulnerabilities if they have a significant impact.
Communicate Clearly:
- If the awarded bounty differs from the program policy or if a bounty is declined, provide clear explanations to hackers. This offers valuable feedback and encourages better submissions in the future.

Approval for Bounty Assignment:

Company Admins can configure bounty approval settings under Company Dashboard > Settings > Access > People.
When bounty approval is required:
- Bounties won’t be directly assigned.
- The bounty assignment can either be accepted or declined by members who have the necessary permissions.