Ultimate Guide to

Bug Bounty
Table of Contents
2

Everything you need to know Can I Trust Hackers?

10
about bug bounty programs

03
Factors to Consider When
The Basics of Getting Started with a Bug
Bug Bounty Programs Bounty Program

05 12
Key Benefits of Achieving Long-Term Success
Bug Bounty Programs with a Bug Bounty Program

07 17
1 . 0. 0 3 . 2 7. 2 4
What Do Bug Bounty Bug Bounty Programs
Providers Offer? vs. Pen Testing vs. VDPs

08 20
U LT I M AT E G U I D E T O B U G B O U N T Y

What Motivates Hackers? The Bugcrowd Platform

09 22
Everything you need to know
3

about bug bounty programs

Organizations have widely adopted various tools and
training to help find security vulnerabilities in digital assets
and mitigate the introduction of vulnerabilities during coding.

Unfortunately, the hastened onslaught Many organizations invest in

of cybersecurity threats suggests that automation to address the increasing
these solutions are still behind the scale of attacks across massive assets,
curve in finding and helping to quickly which is logical. However, scanners
remediate the most critical issues. and other automated tools don’t
Both the prevalence and impact of recognize emerging vulnerabilities—
cyberattacks are worsening. This only those that are already well
suggests that status quo security understood. They have little to no
solutions have largely failed to help understanding of context, making it
security teams discover vulnerabilities almost impossible to separate signal
before malicious attackers can find from noise. Furthermore,
and exploit them. they fail to anticipate the
"attacker mindset" in a
With an increase in both the
way that can be utilized
number of attackers and attack
for defense.
surface complexity, the goal of
ensuring cybersecurity has
become more difficult.

1 . 0. 0 3 . 2 7. 2 4
U LT I M AT E G U I D E T O B U G B O U N T Y
For those reasons, throughout the past decade, 4

the industry has discovered the irreplaceable value

of incentivizing highly skilled hackers to uncover
hidden critical flaws in today’s massive attack
surface—in the form of bug bounty programs.

How you design, measure, and

implement a bug bounty program will
→ The evolution of
have a major impact on its long-term
crowdsourced security
success. To help you navigate this
and the emergence
process, this guide explains:
of the Crowd.

→ How a “bug bounty”

is defined and its key
benefits.

→ The different
components of a bug
bounty program.

→ How to get started, grow,

and measure the impact
of your bug bounty
program over time.

→ What to ask a
prospective bug bounty

1 . 0. 0 3 . 2 7. 2 4
provider to ensure
a good fit with your
resources.

→ How to differentiate
U LT I M AT E G U I D E T O B U G B O U N T Y

between a bug bounty

program, a vulnerability
disclosure program, and
penetration testing.
The Basics of
5

Bug Bounty Programs

What Is
Crowdsourced Security?
What Is a Bug Bounty?
Like other forms of
Previously, the term “bug bounty” was
crowdsourcing, crowdsourced
used synonymously with the term
security unites a disparate set
“crowdsourced security.” With the arrival
of individuals to work toward a
of additional ways to engage with a
common goal. In this case, the
crowd, like penetration testing as a
goal is to discover and report
service (PTaaS) and attack surface
hidden vulnerabilities in an
management, the two terms have now
attack surface.
been decoupled. Crowdsourced security
Crowdsourced security is is a resourcing model, while bug bounties
an approach to securing involve an incentive (“pay for results”)
digital assets that draws from model that encourages the discovery of
the collective skills and severe flaws based on the potential for
experiences of the world’s monetary rewards.
community of hackers. These
For example, if a hacker involved in a
highly capable individuals are
bug bounty reports a cross-site scripting
given the direction, scope,
vulnerability but the same vulnerability
and incentives they need to
was already noted by the customer’s
effectively simulate the varied
internal security team or if it was
techniques employed by threat
uncovered by another hacker first, the
actors to identify and report
individual is not paid for that submission.
vulnerabilities. To learn more

1 . 0. 0 3 . 2 7. 2 4
In another example, two hackers may
about crowdsourced security,
uncover different types of server security
check out Crowdsourced
misconfigurations. If one is email spoofing
Security 101.
and the other is using default credentials,
U LT I M AT E G U I D E T O B U G B O U N T Y

both hackers would be paid, but the latter

would command a higher rate due to
greater potential business impact.

This model greatly reduces the average

cost per vulnerability and ensures that
customers are only paying for value
received—which makes security return on
investment (ROI) much easier to calculate.
 6
History of Bug Bounties Who Participates in
a Bug Bounty Program?
In 1851, Charles Alfred Hobbs
was paid 200 gold guineas by In crowdsourced security, “the
a lock manufacturer for rising Crowd” is the term used to refer to
to the challenge of picking one the massive, global community of
of its strongest locks. Flashing hackers (also referred to as security
forward to the mid-90s and early researchers, ethical hackers, or white
2000s, Netscape, IDefense, hats) who participate in bug bounty
Mozilla, Google, and Facebook programs. These individuals are
all had their own self-managed independent actors who work on
bug bounty programs, offering crowdsourced security programs that
severity-based rewards to they find to be fulfilling, lucrative, or
anyone who could identify both, either as their sole occupation
vulnerabilities in their web or as a side hustle. The Crowd is the
applications. lifeblood of any crowdsourced security
or bug bounty program and the
Some organizations with
main reason why the approach is so
large security teams and at an
effective.
advanced stage of security
maturity may still run their own Hackers can and do hunt bugs on
bug bounty programs, but most multiple platforms—no provider has an
that start in self-managed mode exclusive monopoly on them—so it’s
eventually migrate to “bug important for a platform to match the
bounty as a service” solutions right crowd to the end user’s needs at
when they reach a certain scale. the right time.
Generally, running bug bounty
Some crowdsourced security vendors
programs is outside the core
boast a high number of hackers
competencies of
working on customers’ programs,
most teams.
but quality is a more important metric

1 . 0. 0 3 . 2 7. 2 4
to focus on when working with the
Crowd. Organizations want to be
sure they’re working with a vendor
that uses data to source and activate
U LT I M AT E G U I D E T O B U G B O U N T Y

hackers with precisely the right skill

sets and experience for their programs
to boost engagement and critical
findings—not just “throw bodies” at a
problem.
Key Benefits
7
Other Key
Benefits Include:
of Bug Bounty SHARED ACCESS

Programs TO TOP TALENT

The crowdsourced model allows all

participants to share the value of something
impossible to replicate alone. Additionally,
Bug bounties are a pay-for-results bug bounties provide an elastic workforce
approach to proactive security testing as needed.
designed to maximize the discovery
RAPID LAUNCH
of high-impact vulnerabilities. Through
AND TIME TO VALUE
managed bug bounty programs,
A community of skilled, trusted hackers
organizations are given access to
looking for bugs inside a pay-for-results
thousands of highly skilled and framework drastically reduces the time to
thoroughly vetted hackers ready to launch. A competitive, first-to-find incentives
help organizations find vulnerabilities model also compresses the time needed to
that other tools miss. The global nature discover truly impactful bugs.
of the Crowd means 24/7 talent
availability, with launch timelines CONTINUOUS
ASSURANCE
that blow traditional utilization-
based models out of the water. Not paying per head or per hour means
organizations can afford to have a testing
The ideal provider also offers 24/7
practice that matches today’s agile and
vulnerability visibility and reporting,
continuous development cycles—because
fine-grained crowd matching to attackers don’t take days off.
ensure access to the right talent,
and seamless business process UNIQUE SKILLS
integration with a development ON DEMAND
team’s favorite ticketing and Many organizations have a great
vulnerability management solutions. in-house team, but even the most resourced

1 . 0. 0 3 . 2 7. 2 4
teams can’t cover all the skills needed
to find all potential vulnerabilities within
systems. The Crowd offers the largest
rolodex of vetted, ranked, and highly active
U LT I M AT E G U I D E T O B U G B O U N T Y

hackers with infinite combinations of skill

and experience.

RAPID RISK
REDUCTION

Competitive, incentive-based testing

motivates hackers to think creatively and
find high-impact vulnerabilities that present
the greatest risk to businesses.
What Do Bug Bounty
8

Providers Offer?
SDLC Integration
Most serious providers will offer integrations
Unless their security maturity
into popular developer workflow tools,
level is extreme, most organizations
such as JIRA, GitHub, and ServiceNow,
will choose to work with a
as well as an API. So it’s important to ask
managed bug bounty provider.
whether the integration is robust enough
Providers differ in robustness, to meet your team’s most common use
comprehensiveness, and depth, cases. In addition to these common
so when comparing them, it’s developer tools, integrations into Slack and
important to understand each Trello can also improve communication
of their approaches. and alerting workflows, while integrations
with vulnerability management tools like
Qualys can help contextualize and prioritize
vulnerabilities from all discovery solutions.

Hacker engagement Reward payouts

Some bug bounty providers rely on Valid, non-duplicate, and in-scope

leaderboards or other coarse-grained vulnerabilities are rewarded from a set-aside
methods for building a bug bounty team. sum of money known as the “bounty pool,”
However, custom-curating a crowd based on which can be topped off when it runs low. The
skill, interest, ability, performance, and other actual reward is set in advance based on the
dimensions (as Bugcrowd does) can make a incentive model determined by the program
huge difference in a program’s success. So owner. By allowing an intermediary/provider
when evaluating a provider, it’s important to to handle compliant payments, organizations
dig into its crowd matching methodology to avoid the headaches of individual tax
ensure it aligns with goals and expectations. procedures that differ by state and country.

1 . 0. 0 3 . 2 7. 2 4
Validation and triage Reporting and analytics
For bug bounty to deliver its full value, As the saying goes, “You can’t improve what
U LT I M AT E G U I D E T O B U G B O U N T Y

submissions must be validated and prioritized you can’t measure.” To ensure the long-term
according to severity to help the program success of bug bounty programs, it’s important
owner filter out noise. Be aware, however, that to have the ability to monitor program health,
some providers offer triage as an add-on or uncover insights into trends and opportunities,
afterthought (if at all), not a core competency. and benchmark against internal or industry
When choosing what is right for you, be aware KPIs. This requires access to historical data
that even “invite-only” bug bounties result in that provide context about what success looks
significantly more vulnerabilities than you may like, but not all providers (particularly newer
be used to. ones) will have such data.
What Motivates Hackers?
9

Hackers go by a variety of names, but all share one

critical trait—a desire to not only improve their families’
and their own lives but also to improve customers’ lives.

Per Bugcrowd's Inside The Mind of a The bug bounty community is a

Hacker report, 75% of hackers identify global group of well-intentioned
non-financial factors, such as personal individuals from all walks of life, with
development, the greater good, and diverse backgrounds, technical skills,
enjoying a challenge, as their main and expertise.
motivators to hack. Only 29% of elite
hackers hack full time, while the This diversity is what
majority split hours between part-time
makes bug bounties so
hacking and full-time employment as
analysts, engineers, and even CISOs. impactful—the crowd offers
Furthermore, 77% of hackers work in the opportunity to connect
IT or cybersecurity. The bug bounty
uniquely skilled individuals
community is a global group of well-
intentioned individuals from all walks with organizations that
of life, with diverse backgrounds, need fresh perspectives.
technical skills, and expertise.

6%

1 . 0. 0 3 . 2 7. 2 4
The greater good
5% 7%
Something to do Livehood U LT I M AT E G U I D E T O B U G B O U N T Y

28% 12%
Personal Challenge
development

24% 14%
Financial gain Excitement
Can I Trust Hackers?
10

Ten years ago, a handshake and a background check

were all that stood between aspiring pentesters and
an organization’s data. Trust was binary and assumed
by employment. But times have changed.

Bug bounty programs provide

us with the opportunity to think
critically about how trust is defined, Code of Conduct
measured, allocated, and revoked.
While each provider decides how
Does a background check make
it allocates and manages trust,
someone more trustworthy than
most start with a pre-program
3,000+ vulnerability submissions?
agreement. For example, hackers
For some, yes. Others would say that
on the Bugcrowd Platform must
the promise of a reward serves as a
agree to our Standard Disclosure
greater incentive to follow the rules.
Terms, which include a charter
Modern bug bounty programs now to do no harm in testing or in
have the technology required to subsequent communications.
dynamically assess talent by using This is similar to a non-disclosure
both traditional measures of trust agreement, but oftentimes,
and those that consider performance customers choose to work
and behavior. with hackers to safely disclose
resolved findings for the good
of all involved. In addition to this

1 . 0. 0 3 . 2 7. 2 4
understanding, bug hunters on our
platform also agree to abide by our
Code of Conduct, which outlines
U LT I M AT E G U I D E T O B U G B O U N T Y

the behavioral expectations for all

Bugcrowd community members,
both on and off platform.
Measures of Trust 11

There are several ways to assess trust:

Background checks

Background checks look for felony and major misdemeanor criminal

convictions at the country, state, and federal level, as well as in
international watch lists. Hackers must provide their full name, email,
and countries in which they have lived in the last 7 years. While
some platforms conduct background checks on all their hackers,
Bugcrowd takes the reverse approach—only hackers who have
proven themselves to be both skilled and professional are invited to
complete a confidential criminal background check, if they so choose.
This approach ensures that participants in programs requiring
background checks comprise the most elite hackers.

ID-verification
ID verification is sometimes required to ensure hackers are
who they say they are and operating from the locations
that we expect. Bugcrowd hackers can choose to be
verified through a service known as NetVerify. Hackers
initiate this process by uploading a picture of their face and
photo ID. NetVerify then uses this information to validate
identity and confirm location. This is useful for programs
that require only nationals to be invited, but it also helps
hackers who are not operating from any areas on the
OFAC global banned list.

1 . 0. 0 3 . 2 7. 2 4
Behavior and communication

Behavior and communication are also indicators of trustworthiness. Like

U LT I M AT E G U I D E T O B U G B O U N T Y

security testing, trustworthiness cannot be determined based on a point-

in-time assessment. Trust is built on a holistic and continuous view of a
person’s behaviors and interactions. Bugcrowd’s Hacker Success team
vigilantly monitors every active hacker’s interactions both on and off the
platform to address any gaps or de-escalate misunderstandings. Just as
a full-time employee can be removed from employment for egregious
behaviors on social platforms, so too can a member of the Crowd be
banned from individual programs or the platform as a whole.
Factors to Consider
12

When Getting Started with

a Bug Bounty Program
Bug bounty programs can take on many different
forms depending on an organization’s goals, budget,
testing timelines, and interest in specific skills.
Before engaging with a bug bounty provider, ask the following questions:

Q Self-Managed Or Managed?

While a few large enterprises do have Relationship management

the team required to manage their Like all communities, every member of
own bug bounty programs, these are the Crowd has their own unique way of
usually highly visible, well-known, interacting, hunting, and communicating that
and reputable brands that can attract is often more an exercise in psychology than
it is in operations. Most providers typically
the attention of the broader security
employ a dedicated team of experts who
community. Organizations of all sizes
either come from the community or are well
typically opt for managed programs for trained in the nuanced issues that hackers
a few reasons: face. This can drastically reduce the chance
of miscommunication or misunderstanding
between the two parties.

1 . 0. 0 3 . 2 7. 2 4
Payment processing Triage and prioritization
U LT I M AT E G U I D E T O B U G B O U N T Y

This can be a nightmare for even the largest Bugcrowd offers engineered, best-in-class
organizations to manage because it involves triage to drastically reduce the burden of
draining the resources of departments outside vulnerability validation and prioritization and
of security, such as finance. Managing who puts an enormous amount of time into caring
gets paid when and ensuring that tax forms for the hacker community and ensuring that
are provisioned for each is no easy task. their needs are met. Without an objective
intermediary, relationships can sour, resulting
in a sudden drop in engagement that can
spread quickly throughout the community.
 13
Q Narrow Scope or Open Scope?

A scope is the defined set of targets to report (and are rewarded for), and
listed by an organization as assets what’s out of scope is off limits, and
that are to be tested as part of a no compensation is given for findings
particular engagement. Things that related to those targets. Generally, it’s
are listed as “in scope” are eligible best to reach a maturity stage that
for testing, and things that are “out of implements an open scope as quickly
scope” are not to be tested. Within as is feasible because attackers have
the context of a bug bounty, what’s in no limits where targets are concerned.
scope is what hackers are incentivized

DEFINING SCOPE

opportunities for identifying vulnerabilities.

Hackers are particularly adept at finding and
exploiting assets that have been forgotten
Limited Wide Open or hidden by the sands of time. By including
scope scope scope a wildcard, an organization increases the
probability of identifying security risks across
a much broader swath of an attack surface.
Limited scope
A limited scope on a bug bounty program Open scope
is one that only includes single or specific An open scope bounty program is one
targets. For instance, listing “example.com” that has no limitations on what hackers can
as the only in-scope domain is considered a or cannot test, so long as the target/asset
limited scope. Even if “accounts.example.com” belongs to a specific organization. Open
and “api.example.com” were added to create scopes generally look something like “any

1 . 0. 0 3 . 2 7. 2 4
a larger scope, this is still considered limited. externally facing asset belonging to Example
Any time the scope is made up of precisely Org,” where nothing is excluded. Hackers are
specific targets, it’s generally considered a highly effective at identifying assets here—
limited scope. some may find and exploit an old marketing
U LT I M AT E G U I D E T O B U G B O U N T Y

page for an event from a decade ago.

Wide scope Additionally, they may find keys or sensitive
A wide scope bounty program is one that information stored on GitHub or Pastebin.
includes a wildcard in the in-scope targets, There may be remnants from mergers,
such as “*.example.com.” This signifies acquisitions, and any other artifacts that live
that any subdomain of example.com is in in a litany of different places on the web.
scope. For instance, part of that wildcard Running an open scope leverages the power
could include previously unmentioned of the whole crowd in finding and identifying
or unexplored attack surfaces, such as any exposures an organization may have
“staging-2019.example.com” or “admin. online, and most of the time, there’s a lot more
example.com,” both of which could offer rich out there than an organization realizes.
Organizations generally choose 14

between a limited scope, a wide

scope, or an open scope for their
programs. Once an organization
establishes what’s in scope, it
can begin writing the “bounty
brief” that will help communicate
to hackers its targets, priorities,
exclusions, and incentive scheme.

Q Staging Or Production?

After determining what’s in scope, → It’s typically far less expensive

it’s time to consider where in the to fix vulnerabilities identified in
development lifecycle focused preproduction before a service
testing is most appropriate. Where is made widely available.
possible, we suggest utilizing → It’s typically easier to mass-create
preproduction/staging environments, staging credentials for hackers.
as opposed to production. There
are many reasons to consider this → If there is a purchase point in
option, including reduced impact on an application, it’s usually much
customers and ease of credential easier to provide fake credit
provisioning for hackers, and much cards, SSNs, etc., in
more: non-production environments.

→ It’s much easier to restrict access

→ Hackers can help identify issues to only certain hackers (only

1 . 0. 0 3 . 2 7. 2 4
in new app versions before each allowing access from a specific
release. IP address), thereby providing
better visibility into hacker
→ There’s no chance of staging
U LT I M AT E G U I D E T O B U G B O U N T Y

testing/coverage.
environments made unstable by
the volume and type of hacker
testing affecting users.
 15
Q Public or Private?

The power of crowdsourced security Private programs are invite-only

stems from its numbers. While this can programs that target a select group
refer to the total number of people of hackers based on technical and
involved in a program, it also refers business requirements. No one else
to the broader network of available in the community, or beyond, will be
talent. More thoroughly vetted and able to see details on or access these
continuously ranked hackers means private programs.
that organizations will always have
With public programs, any registered
the team that best fits their testing
hacker can see, access, and work on
environments.
their stated scope of assets. Public
Because more people on programs typically have a much
broader scope, which allows for a
a program also means more
wider range of potential vulnerabilities
vulnerabilities, Bugcrowd to be identified by a larger set of
recommends starting small, unique skills and experiences. Check
with invite-only access, out some of Bugcrowd’s public
until vulnerabilities reach programs on our website.
a manageable level and
organizations feel comfortable
graduating to public access
(if appropriate).
Q On-Demand or Ongoing?

While the structure of crowdsourced

security programs enables
continuous testing where it was

1 . 0. 0 3 . 2 7. 2 4
previously not possible, it may be
the case that testing or budget
cycles limit an organization to only
U LT I M AT E G U I D E T O B U G B O U N T Y

~2-week testing sprints.

On-Demand
A time-boxed, point-in-time program
may run in isolation, or periodically
throughout the year.

Continuous
An ongoing program is a good
fit for high-value targets or agile
development environments, where
the asset may face frequent change.
 16
Q Which Integrations Matter Most?

A strong vulnerability discovery As JIRA is the most common ticketing

solution is weak without a way to and management system for most
facilitate rapid remediation. While users, it’s important to accommodate
security teams aren’t responsible the following top three use cases:
for providing the fix, they are
Centralized JIRA security project
better served if they can make the
remediation process as easy as The AppSec team has one “security”
possible for the development team. JIRA project to manage its security
work. Having one security JIRA project
Therefore, it is important to ensure between security and development
that a provider can provide is a great way to centralize work; it is
vulnerability-specific remediation simple to maintain, as there is no logic
advice and decide which integrations needed to understand where tickets
matter the most to a development are created.
team for the presentation of that
information. The Bugcrowd Platform In developer JIRA projects
offers pre-built integrations with The AppSec team pushes security
JIRA, GitHub, ServiceNow, Trello, and tickets into a developer’s JIRA
Slack, in addition to webhooks and projects while respecting the
APIs, making it easier for security developer’s ownership. Enterprise
professionals to enqueue prioritized organizations typically have more than
vulnerabilities and for developers to one development team or business
see what should be addressed first, application, which requires more than
how to go about this, and whether one JIRA project.
anything else stands in the way.
Hybrid
Context is key.
This hybrid of both features one
“security” project and a linked issue

1 . 0. 0 3 . 2 7. 2 4
in a developer’s JIRA projects. The
primary benefit of this approach is
maintaining control if development
makes edits. This provides an
U LT I M AT E G U I D E T O B U G B O U N T Y

additional layer of accountability

and visibility.
Achieving Long-Term Success
17

with a Bug Bounty Program

Setting Expectations It’s important for security
professionals to have open dialogue
Bug bounties can greatly reduce
with their executive teams about the
the risk of vulnerabilities to an
implications of such a program. This
organization. Leveraging a solution
could include potential impacts on
like the Bugcrowd Platform can relieve
budget structures (to accommodate
a lot of the burden. But this doesn’t
a variable bounty pool), as well as
remove the importance of program
impacts on engineering should a
owners being active participants in
sudden influx of vulnerabilities disrupt
their programs.
current processes.
Bug bounty programs take Additionally, bug bounty program
time to maintain and grow over owners must commit to timely
time, and broad organizational platform responses, including
commitment is required to accepting validated vulnerabilities
or addressing program issues raised
make them successful.
by a provider.

Crawl, Walk, Run

Approaching bug bounty programs is not quite ready for that volume.
with a “crawl, walk, run” mindset Processing and payment is one matter,
is a recipe for success for any but once a program owner knows
organization of any size. Big public about an issue, they should also be

1 . 0. 0 3 . 2 7. 2 4
launches drive press coverage and prepared and equipped to promptly
broader awareness, but these aren’t resolve them. An example of the
always appropriate if a security team “crawl, walk, run” approach includes:
U LT I M AT E G U I D E T O B U G B O U N T Y

Launch private Transition to Increase rewards,

bug bounty public program add targets, boost
with limited scope engagement
 18
Tips to Growing a Bug Bounty Program
Finally, iteration is an important part of any successful bug bounty program.
What worked to fuel hacker engagement yesterday might not work today.
Bugcrowd has a decade of experience in identifying any risks to growth, and
as a result, will rely on three key “levers” to encourage long-term success.

Evolve a Re-evaluate the attack surface: Many programs start with publicly
program’s available web targets. As time goes on, it’s important to explore an
scope organization’s full attack surface. Hackers are most committed to
programs with a varied and evolving scope.

Consider the product pipeline: New and recent product features or

code changes are often overlooked for bug bounty inclusion. Working a
bug program into any security/product interface can reduce the chances
that something is missed.

Review the bounty brief: A bug bounty vendor will be well practiced
in restructuring a bounty brief to ensure an organization’s interests are
being clearly communicated. Perhaps you were hoping for more testing
in a certain area. If you’re not explicit about it in your brief, it’s possible
that hackers missed the information.

Keep up Grow with the program: The longer programs run, the higher the
with reward rewards should be to reflect the increased difficulty of finding new
rates vulnerabilities. Bugcrowd can also provide insight into the market rate for
vulnerabilities, as they change over time. Don’t forget that hackers can
choose from many different programs; the right reward range can help
programs stay competitive.

Demonstrate code confidence: Increasing rewards typically signifies 1 . 0. 0 3 . 2 7. 2 4

confidence in the products launched. Higher rewards attract more skilled
U LT I M AT E G U I D E T O B U G B O U N T Y

hackers, who are happy to accept the challenge. “Hardened” targets with
a narrower scope should increase rewards to ensure proper attention
from skilled hackers.

Highlight areas of interest: If a scope includes multiple targets but an

organization recently updated the code to one particular asset and wants
to ensure it’s thoroughly tested, temporarily increasing rewards for that
asset is likely to boost engagement.
 19
Focus on Reduce response time: Response time is measured as the time between
relationships when a customer receives a triaged bug and the time the submission is
reviewed by the customer. Typically, customers should at least respond
to (accept or reject) submissions within one week.

Invest in communication: Managed bug bounty programs thrive off a

very symbiotic relationship; hackers and customers must work together
and understand one another’s needs.

Act with empathy: It’s important to remember that hackers are human
and have families and lifestyles to support. Having a reputation for
accepting vulnerabilities in a timely fashion helps hackers identify which
programs they can rely on for timely payouts.which programs they can
rely on for timely payouts.

1 . 0. 0 3 . 2 7. 2 4
U LT I M AT E G U I D E T O B U G B O U N T Y
Bug Bounty Programs vs.
20

Pen Testing vs. Vulnerability

Disclosure Programs (VDPs)
Bug bounty programs, pen testing, and VDPs are standard
offerings of an elite crowdsourced security platform.
However, the difference between these three offerings can
be a little confusing, especially for organizations looking to
combine products as part of a layered security approach.

VDPs
A VDP is a secure, publicly available Whether an organization also has a bug
channel for anyone to submit security bounty program, we highly recommend
vulnerabilities to organizations, helping that every organization leverage a
them mitigate risk by enabling VDP. A VDP should be a baseline
the disclosure and remediation security standard for everyone. A
of vulnerabilities before they are VDP establishes a “see something,
exploited by bad actors. say something” mindset within an
organization that carves out a global
In contrast to bug bounties, VDP
channel for vulnerability reports and
submissions are not incentivized
publicly demonstrates that a company
by cash rewards. Publishing a
is doing everything possible to protect
vulnerability report after it has been
its customers, partners, and suppliers.

1 . 0. 0 3 . 2 7. 2 4
fixed is another common attribute
of VDPs and gives hackers the
opportunity to share knowledge and

87%
enhance their own reputation in the
U LT I M AT E G U I D E T O B U G B O U N T Y

process.

A VDP is also open scope, meaning

that anybody can participate and
attempt to find vulnerabilities on
of organizations
any target/asset belonging to an report receiving
organization. at least one P1
vulnerability through
their VDP.
Pen Testing 21

According to the National Institute

of Standards and Technology (NIST),
pen testing is defined as “security
testing in which assessors mimic real-
world attacks to identify methods for
circumventing the security features of
an application, system, or network.”

In other words, pen testing is a

simulated cyberattack carried out
by an authorized third party (known
as pentesters), who tests and
evaluates the security vulnerabilities
of a target organization’s computer
systems, networks, and application
infrastructure.

Pen tests have three defining

With this in mind, one can easily
characteristics: they are performed
envision a layered strategy for both
by external testers, are typically time
compliance and risk reduction that
bound, and usually follow a testing
combines:
methodology. Many organizations also
expect a final report to demonstrate
regulatory compliance to an auditor. → Ongoing vulnerability
discovery and assessment—
It’s common to conflate bug bounty
when the exploitability of
programs and pen testing because
vulnerabilities is confirmed,
they rely on attacker tools, techniques,
this is what some might consider
and mindsets for vulnerability
a “basic” pen test.
discovery under a predefined

1 . 0. 0 3 . 2 7. 2 4
scope. Pen testing and bug bounty → Periodic, human-driven pen
programs have very similar goals but testing to find common flaws
differ with respect to the intensity that Option 1 may have missed
U LT I M AT E G U I D E T O B U G B O U N T Y

of the assessment. Pen tests are (what some might consider a

methodology driven and are best for “standard” pen test).
coverage, whereas bug bounties are
better for risk reduction.
→ A continuous bug bounty
running “over the top” to pick up
emerging vulnerabilities not yet
reflected in the methodologies
used in Options 1 and 2.
 The Bugcrowd Platform
22

Bug bounty programs aren’t the only way to leverage the power of the Crowd.
The multi-solution Bugcrowd Platform brings the right crowd into all your workflows
at the right time, allowing you to run bug bounties, penetration tests, VDPs, and
more at scale and in an integrated, coordinated way.

Vulnerability Bug Penetration Testing Attack Surface

Disclosure Bounty as a Service Management

Accept External Discover More Go Beyond Discover and Prioritize

Feedback Vulnerabilities Compliance Unknown Assets

The Bugcrowd Platform

AI-driven Validation Workflow Orchestration Analytics &

Crowd Curation & Triage & Automation Reporting
Hackers and Hacker Management Customers
Pentesters Workbench Console

DevOps Integration—API, Webhooks, and Pre-Built Connectors for JIRA, GitHub, and ServiceNow, etc.

Best Security ROI Instant Focus

from The Crowd on Critical Issues
We match you with the right trusted Working as an extension of the platform, our

1 . 0. 0 3 . 2 7. 2 4
hackers for your needs and environment global security engineer team rapidly validates
across hundreds of dimensions using AI. and triages submissions, with P1s (critical
vulnerabilities) often handled within hours. U LT I M AT E G U I D E T O B U G B O U N T Y

Continuous, Resilient Contextual Intelligence

Security for DevOps for Best Results
The platform integrates workflows We apply accumulated knowledge from
with existing tools and processes to over a decade of experience crafting
ensure that applications and APIs are thousands of customer solutions to your
continuously tested before they ship. goals for better outcomes.
 Platform Tour
See the Bugcrowd
Unleash the Platform in action

ingenuity of the
U LT I M AT E G U I D E T O B U G B O U N T Y

Data Sheet
global hacking Managed
Bug Bounty
community now

Try Bugcrowd