A list of edge cases that occur in bug bounty programs, conversations on how they should be handled. The goal is to standardise the way that specific situations are handled in bug bounties.
Hacker submits a vulnerability with a CVSS score that sits within a programs specified reward range. The program rewards the report at the bottom of the specified range.
Resolution:
If a bounty range is published by a program, it should be made clear what reward a CVSS score would receive.
For example:
High Severity: Range $1000 - $3000
Vulnerability Score: 8.0
Reward: $2000
For any programs using CVSS, an approximate reward value for a submission should be automatically calculated and made visible to both reporter and program.
Hacker submits a vulnerability with a CVSS score that sits within a programs specified reward range. The program rewards the report at the bottom of the specified range.
Resolution: If a bounty range is published by a program, it should be made clear what reward a CVSS score would receive.
For example: High Severity: Range $1000 - $3000 Vulnerability Score: 8.0 Reward: $2000
For any programs using CVSS, an approximate reward value for a submission should be automatically calculated and made visible to both reporter and program.