Types
Private
- Needs invitation to participate.
- Invitation usually comes from track record, valid finding frequency, and violation record.
- A representative example of this is how
HackerOnedeals with invitations based on specific criteria.
Public
- Accessible by the entire hacking community.
Something important to note is that the terms Bug Bounty Program (BBP) and Vulnerability Disclosure Program (VDP) should not be used interchangeably.
A vulnerability disclosure program only provides guidance on how an organization prefers receiving information on identified vulnerabilities by third parties. A bug bounty program incentivizes third parties to discover and report software bugs, and bug bounty hunters receive monetary rewards in return.
Code of Conduct
Spend considerable time reading the code of conduct as it does not just establish expectations for behavior but also makes bug bounty hunters more effective and successful during their bug report submissions.
We strongly suggest that you go over HackerOne’s Code of Conduct to familiarize yourself with such documents.
Structure
Organizations typically publish a vulnerability disclosure policy with guidance on how they want to receive information related to potential vulnerabilities in their products or online services. The policy also includes the program’s scope, which lists items hackers can test and send reports in for. It is often defined by the domain name for web applications or by the specific App Store / Play store mobile apps that a company builds.
A bug bounty program usually consists of the following elements:
| Field | Description |
|---|---|
Vendor Response SLAs | Defines when and how the vendor will reply |
Access | Defines how to create or obtain accounts for research purposes |
Eligibility Criteria | For example, be the first reporter of a vulnerability to be eligible, etc. |
Responsible Disclosure Policy | Defines disclosure timelines, coordination actions to safely disclose a vulnerability, increase user safety, etc. |
Rules of Engagement | |
Scope | In-scope IP Ranges, domains, vulnerabilities, etc. |
Out of Scope | Out-of-scope IP Ranges, domains, vulnerabilities, etc. |
Reporting Format | |
Rewards | |
Safe Harbor | |
Legal Terms and Conditions | |
Contact Information |