Framework

  • Chapter 6: Handling Disputes

    Date: July 22, 2024 Authors: Logan MacLaren, Chris Holt, Adam Bacchus Respond to Disputes Like any scenario involving human interaction, you’re going to have to deal with disputes over severity assignments and payment amounts for your Bug Bounty Program.  These disputes often boil down to one single point – the researcher believes the severity assessmentContinue…


  • Chapter 5: All Things Payment

    Date: May 13, 2024 Authors: Logan MacLaren, Deana Shick, Christopher Robinson, Katie Trimble-Noble, Jeff Guerra, Chris Holt Introduction Vulnerability Disclosure Programs (VDP) are differentiated from a sub-classification known as Bug Bounty programs (BBP) when rewards are offered. There are many methods to determine your incentive or payment schedule. Typically, payouts are tied to one ofContinue…


  • Chapter 4: Scope and Budget

    Date: September 7, 2021 Authors: Anil Dewan, Annika Erickson, Katie Trimble-Noble, Christopher Robinson, Deana Shick Introduction By now, we hope that you have read Chapters 1, 2, and 3, and are ready to begin scoping and budgeting your Bug Bounty program. If you haven’t read those chapters and are new to Bug Bounty, we encourage you to doContinue…


  • Chapter 3: Charter Your Program & Set Strategic Objectives

    Date: July 28, 2021 Authors: Anil Dewan, Annika Erickson, Katie Trimble-Noble, Deana Shick Overview If you have stumbled upon this Chapter of the Bug Bounty Framework, you may have decided that a Bug Bounty program fits your needs . Creating a program charter and defining your strategic objectives are important steps in defining why your Bug Bounty programContinue…


  • Chapter 2: Is a Bug Bounty Program Right for You?

    Date: June 23, 2021 Authors: Sean Poris, Johnathan Kuskos, Josh Dembling, Katie Trimble-Noble, Deana Shick, Christopher Robinson Overview By now, you have read Chapter 1, and you may be wondering if a Bug Bounty program is right for your organization. You might be intrigued by the idea of interacting with researchers, and wondering about theContinue…


  • Chapter 1: What is a Bug Bounty Program?

    Date: May 4, 2021 Authors: Deana Shick, Johnathan Kuskos and Kathleen Trimble-Noble Overview  Bug Bounty programs (or, “Bug Bounties”) have quickly become a mainstay in many security programs. Bug Bounties encourage reporters (including vulnerability finders, researchers, ethical hackers, and so on) to submit vulnerabilities to an organization for rewards. This chapter covers the basics ofContinue…


  • Announcing the Bug Bounty Framework: Demystifying Bug Bounty Programs

    Date: May 4, 2021 Our Bug Bounty Community of Interest (BB COI) has been hard at work this year discussing the challenging problems many Bug Bounty programs (BBP) face, potentially including Vulnerability Disclosure Programs (VDP). Throughout our conversations and research, we noticed that there is little comprehensive guidance covering the Bug Bounty space. In anContinue…