1

How is the reward amount determined on different bug bounty platforms like Bugcrowd, HackerOne or Synack?

As a bug bounty program owner I can maybe define some rules for the rewards. What are the common, established rules and how do the different platforms support them?

Arminius
  • 43,922
  • 13
  • 140
  • 136
haba713
  • 215
  • 2
  • 7
  • its determined via bug severity and the company.Yes if you are running a bug bounty programme you can determine the rules for reward – yeah_well Jan 27 '21 at 11:23
  • I don't see this question as on-topic here. While it is in the context of security it is only about payment - which is not an information security problem itself. – Steffen Ullrich Jan 27 '21 at 11:36
  • @SteffenUllrich, what is the right StackExchange site for this question? This site seems to have a lot of questions related with different bug bounty practices... like [this one](https://security.stackexchange.com/q/225730/233540) for example. – haba713 Jan 27 '21 at 11:53
  • @haba713: I don't think there is a right SE site for this. Not every aspect is covered by SE. Anyway, the question being off-topic is only my personal opinion, others might see it different. – Steffen Ullrich Jan 27 '21 at 13:20
  • @SteffenUllrich I think wrt. allowing questions about bounty programs there has been a [positive sentiment](https://security.meta.stackexchange.com/questions/2569/establish-bug-bounty-tag). As for the payment aspect, I think it's possible to formulate a reasonably on-topic answer that's more in the realm of "security risk management" rather than "financial planning" which I'm guessing your concern is about. I'll go ahead and write one up – Arminius Jan 27 '21 at 19:39
  • I nominated the question for re-open based on my arguments above. Questions about implementing bug bounty programs seem generally considered on-topic. BBs are a growing part of infsec and intersect with the expertise of many users here. Payout determination is an important part of bug bounty program design, and has its own peculiarities. It falls under the topic of infosec management much more than it relates to financial planning/economy. Also, I tried to focus on the infosec-related aspecets of it in my answer. – Arminius Jan 27 '21 at 23:48

1 Answers1

4

Criteria to determine bounty amounts

A bug bounty program's rules should communicate the used criteria and process for determining bounty amounts as clearly as possible. However, bug bounty platforms usually don't constrain your program's reward structure or enforce fixed severity levels which you must adhere to. There are just too many cases that require some flexibility. That said, many program rules lay out tables of different tiers with baseline (and possibly maximum) payouts. The following are some common criteria to rank vulnerability submissions and determine adequate amounts.

  • Severity of the vulnerability. A more severe vulnerability should (obviously) pay more. A remote code execution bug is most likely more dangerous than XSS and so on. You can apply the Common Vulnerability Scoring System (CVSS) to quantify the severity of a given security bug. However, this may get tedious. Many program rules just set a rough list of tiers. E.g., Google's VRP distinguishes between remote code execution, file system/database access, security control bypasses, client-side code exec (e.g. XSS), and others. Similarly, the program of Uber makes use of several "security impact buckets".

  • Relevance of the affected application/component. This partially ties into the previous point. The same type of vulnerability may have a different impact on different sites or components. XSS on a static subdomain served over HTTP may not be as harmful as XSS on the main domain where users manage their accounts. As for a real-life example, Twitter's program distinguishes vulnerabilities affecting the Twitter core (e.g. on *.twitter.com) from all others. Google's VRP classifies applications as account management-related, high severity, normal, and non-integrated/lower priority applications, each with their own payout structure.

  • Maturity of the bug bounty program. A new program/scope should start with moderate bounties and increase payouts once the "low-hanging fruits" have been discovered and finding high-severity bugs becomes increasingly difficult. You should keep adjusting baseline amounts based on the reports you're receiving to pay fair bounties that balance the bug hunters' skill and time efforts, with your budget.

  • Quality of the report. Some programs pay higher rewards for well-written reports. This is especially common/relevant for client software where some bugs can be significantly easier to investigate and patch with more technical information and post-report assistance by the researcher. E.g., Mozilla's Client Bug Bounty Program states "Improving test cases post-submission, figuring out if an engineer's speculation is founded or not, or other assistance that helps resolve the issue will increase your bounty payout." However, for your standard reflected XSS in a web app, a simple proof of concept is often sufficient and a submission quality rating has no merit.

  • Broader context of the bug. Sometimes, a vulnerability submission has an impact beyond the initial report. It may reveal a larger issue or be more critical than the researcher anticipated. Or, on the contrary, multiple reported vulnerabilities may all have the same root cause and it makes sense to treat them as a single bug. These considerations may, too, warrant a payout adjustment.

(Some of these points are presented similarly in the SANS whitepaper Bug Bounty Programs: Enterprise Implementation, chapter 2.7. Also have a look at #2 of this instructive post on the HackerOne blog.)

Assigning bounties on a bug bounty platform

...how do the different platforms support them?

Platforms generally let vendors choose the bounty amount freely. E.g. on HackerOne you can choose between pre-calculated amount levels or reward a custom amount.

HackerOne Bounty amount selection

(Image: HackerOne Docs)

HackerOne also provides an optional CVSS calculator which can be used to have a vulnerability's severity determined automatically.

The right bounty range to start with

... depends on the budget your company is willing to assign to the program. As mentioned above, you can start with low bounties and work your way up based on the reports received and bounties paid so far. It may help to look at the payout ranges of other companies that are comparable to your own business. The concrete financial considerations would be beyond this answer.

Arminius
  • 43,922
  • 13
  • 140
  • 136