I work for a small company and for our webapp, we want to offer bug bounties for vulnerabilities reported with monetary rewards based on criticality. Problem is we only have a limited overall budget and dont want to promise anything we cannot pay. My question is: how to best phrase out the terms for our bug bounty project.
Let´s take some imaginary numbers and an imaginary situation to describe the problem. Say the overall budget is 1000. I would offer 200 for a critical vulnerability reported.
Now I start the program and receive ten reports coming in one after another, report A, B, C, ... Each report contains a critical vulnerability, as claimed by the reporter. Now I take my time and check each report and if it is valid. In the mean time, I get more reports. Let´s say, I have validated the first 5 ones as being critical. My budget would be exhausted in paying the reporters, but I still have more reports with valid vulnerabilities.
What is the best approach here from your suggestion? Splitting? Paying based on "first in"? I don't want to bait people with false promises, but I also do not want to drain our finances. I would stop the reward announcement of course once I realize that the budget is running out.
Also, a related question: What is a good practice if two reporters claim the same vulnerability? Do you reward both, do you split the bounty or only reward the first one in this case? I mean someone could just report under a different name with a slightly modified POC...
Thanks for your thoughts