How do you handle bug bounty requests?

Question

Recently, we've received several emails from individuals claiming to have found vulnerabilities on our website and requesting a reward, typically in the form of a cash bounty. Some of these vulnerabilities are ones we were already aware of, while others are new to us.
Have you encountered similar situations?

Here are a few questions we're grappling with:
1. What is a reasonable reward for such findings? We're curious about the range of bounties others are offering. How do you determine the amount?
2. How do you manage communication with these individuals? What's the best way to handle their requests professionally and maintain a positive relationship?

Any advice, best practices, or insights would be greatly appreciated!

Marc Chia · Accepted Answer

Rewards can be all over the place, but here are some things to think about: How bad is the bug? Serious issues (like ones that let someone take over your system) should get a bigger reward than minor ones (like info leaks). Also it depends on the impact on your business. Lastly it will vary depending on where you are located. Bounties can vary a lot depending on where you are based.

Here are some ballpark figures:
Low severity: $50 - $200
Medium severity: $200 - $1,000
High severity: $1,000 - $10,000
Critical severity: $10,000+

Comms-wise I think its the standard be polite but firm. I think it doesn't hurt to be friendly but also say no if the price is too high. always useful to build a contact for assistance in the longer term if you find someone you can trust.

Annie Engelhardth · Answer

When I get bug bounty requests, I assess the impact of the vulnerability to decide on the reward. I’ve found that offering a range based on the issue's severity works best.

Sagara Pradipta · Answer

Handling a bug bounty request involves evaluating and verifying the bug report to ensure its validity, then prioritizing the issues based on their impact. After that, fixes are created and tested to ensure the implemented solution is effective without introducing new issues. Once the bug is fixed, feedback is provided to the reporter, the report is closed, and rewards are issued if appropriate. Documentation of this process is important for future reference and to improve the overall security system.

Yvik Ye · Answer

@marc_spectre Hi Marc, Thanks for your insights, it's really helpful, will take it as refer.😁

Answer

Offer rewards  according to the bug's risk level. Keep communication open and respectful, acknowledging their effort.

Answer

Use a  tiered reward system based on bug hardness. Manage communications professionally, acknowledging and updating frequently.

Answer

@yvik_ye Handling bug bounty requests can be tricky! 💻💰 Reward amounts vary, but many companies offer $100-$10,000 depending on severity. Clear communication and a transparent policy help keep things professional and positive. Good luck!

Sukumar · Answer

Got  a bug report? We’ll investigate and sort it out, keeping you informed.

Answer

I determine rewards based on the criticality of the bug—minor issues get a smaller reward, while serious vulnerabilities get a larger one.

Answer

I’ve dealt with bug bounty requests before. For rewards, I usually start with a baseline amount and adjust based on the severity of the vulnerability.

Answer

For communication, we use a standard template and ensure we verify each finding thoroughly before offering any reward.

Yunusa Abdullahi · Answer

Set rewards  from $100 to $5,000 depending on the bug's impact.

Alex Bravo · Answer

We handle bug reports by checking them out, fixing the issues, and keeping the reporter informed.

Answer

We check out bug reports and fix them if they’re serious. You’ll get updates.

William Seikh · Answer

We look at the bug, figure out the impact, and fix it. The reporter gets updates throughout.

How do you handle bug bounty requests?

Replies