Menu Icon
< back to main
 • 2 min read

Bug Bounty Program Best Practices

We often are asked how's the best way to work with incoming reports on a bug bounty program. Below are some of the best practices we have…

Bug Bounty Program Best Practices
Julie Kuhrt
Julie Kuhrt

Want to see the platform in action?
get a demoArrow Right
Want to see the platform in action?
get a demoArrow Right

Bug Bounty Program Best Practices

We often are asked how’s the best way to work with incoming reports on a bug bounty program. Below are some of the best practices we have found while running our own program. We have divided them into three sections: initial actions, determining criticality, evaluating, and final actions after reporting. Using these insights has given us great value as program runners, as well as helped us attract and continually engage the best researchers to our platform and the web at large.

If we could only say one thing to program owners it would be to communicate with your researchers through the comments and evaluation fields. Make them understand why you are doing something and when. This will encourage the best responses, feedback, and retention of talent on your program.

With that in the back of your mind, please also consider the following best practices:

What to Do Initially When You Receive a Report

Perform your triaging (reproduce the Proof Of Concept) and do the following based on your findings:

Report Received

Evaluation and Criticality

When evaluating reports, how are the various categories defined? Here’s a brief guide:

Evaluation State

In addition to the evaluation we always recommend giving written feedback — this is the best to show appreciation and engagement towards the researcher community.

After Evaluation

To keep track of whether a rewarded report has been fixed or not we recommend to use our labelling system and/or our integrations with Github or Jira.

When a report has been fixed it is good practice to write a comment to the researcher telling them so — that way they can check to see if it is in fact patched. It is up to you if you want to reward this extra check by the researcher via our tipping feature.

Disclosure

When a report has been evaluated the business (and the researcher) will have possibility to publicly disclose it. Disclosing a vulnerability report, once patched, is a great way to share security knowledge, acknowledge the researcher’s work and show the world you’re being pro-active about your security.

Happy Evaluating!

Related Stories

Cybersecurity Statistics for 2021
Cybersecurity Statistics for 2021
What's new in ransomware, social engineering, and many other security threats
Read moreArrow Right
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
Each year, we publish The State of Pentesting report to provide a detailed overview of vulnerabilities and identify the trends and hazards that impact the cybersecurity community.
Read moreArrow Right
How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
What better group to turn to for advice than security leaders who have worked on the front lines of risk and uncertainty?
Read moreArrow Right
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
Find out more about the role of pentesting in your company’s compliance effort.
Read moreArrow Right

Never miss a story

Stay updated about Cobalt news as it happens