Bug Bounty Hunting Process
Bug Bounty Programs
Program Types
A bug bounty program can either be private or public.
- private
- not publicly available
- can only participate upon receiving a specific invitation
- public
- accessible by the entire hacking community
- parent/child programs
- bounty pool and a single cyber security team are shared bewteen a parent company and its subsidiaries
note
Bug Bounty Programs and VDP (Vulnerability Disclosure Programs) should not be used interchangeably.
A VDP only provides guidance on how an organization prefers receiving information on identified vulns by third parties. A BBP incentivizes third parties to discover and report software bugs, and bug bounty hunters receive monetary rewards in return.
Code of Conduct
The violation record of a bug bounty hunter is always taken into consideration. For this reason, it is of importance to adhere to the code of conduct of each BBP or bug bounty platform. Spend considerable time reading the code of conduct as it does not just establish expectations for behavior but also makes bug bounty hunters more effective and successful during their bug report submissions.
Programm Structure
A BBP usually consists of the following elements:
| Element | Description |
|---|---|
| Vendor Response SLAs | Defines when and how the vendor will reply |
| Access | Defines how to create or obtain accounts for research purposes |
| Eligibility Criteria | For example, be the first reporter of a vuln to be eligible, etc. |
| Responsible Disclosure Policy | Defines disclosure timelines, coordination actions to safely disclose a vuln, increase user safety, etc. |
| Rules of Engagement | |
| Scope | In-scope IP ranges, domains, vulns, etc. |
| Out of Scope | Out-of-scope IP ranges, domains, vulns, etc. |
| Reporting Format | |
| Rewards | |
| Safe Harbor | |
| Legal Terms and Conditions | |
| Contact Information |