Help Center

We can run a bounty on anything programmed with code. Bugcrowd researchers love testing mobile apps, web apps, hardware, iOT, and everything in between!

People attack applications whether they are invited or not. The issue is whether they are incentivized to exploit the issue or do good by reporting it. Bugcrowd is the most comprehensive and cost-effective approach to making sure as many of these bugs are discovered as possible for the budget allocated to the task.

Crowdcontrol is Bugcrowd's vulnerability disclosure platform. It provides Bugcrowd Security Researchers a secure platform to submit vulnerabilities to your team and allows you the ability to incentivize our researchers through. Bugcrowd points or monetary rewards. It also integrates with your backend issue tracking system to make resolving vulnerabilities as painless as possible.

Yes. There are no trials or intro periods when using the self-managed Crowdcontrol plan and point reward system. We provide a premium service where we handle the entire validation process for you at an additional price.

All Bugcrowd researchers must adhere to the Bugcrowd Standard Disclosure Terms. In addition, each company details the scope and rules that are specific to that program. If a researcher reports a vulnerability that is out of scope, they will not be rewarded. We then alert the researcher so they understand not to test out of scope again. Incentivizing researchers to do good with cash prizes or rewards mitigates wrong doing.

The risk of this happening in a Bugcrowd bounty is actually less than it is with a traditional consulting approach:

• In every bounty we've run so far each of the bugs has been found and reported by more than one researcher. The researchers know this, and that if they elect not to disclose a bug they will likely lose the opportunity to collect the reward. On top of this, the bug will get fixed anyway, meaning it's no longer of any use to them.
• We can run our Traffic Control system which routes the testing traffic through a proxy. This gives accountability to the researchers and gives us the ability to control the traffic.

No. We can run private programs where the number of researchers is restricted to a handful of our top trusted researchers!

All of your vulnerability data is encrypted before being stored in our database. Only your authenticated team members are able to see your data, additionally we never email vulnerability data to you. Security is a top priority for Bugcrowd and we actively run a paid bug bounty against ourselves.

Bugcrowd's physical infrastructure is hosted and managed within Amazon's secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon's data center operations have been accredited under:

• ISO 27001
• SOC 1/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
• PCI Level 1
• FISMA Moderate
• Sarbanes-Oxley (SOX)

Bugcrowd utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.

Welcome to Bugcrowd, thank you for your interest in joining our community! 

Since you're new to Bugcrowd we'd like to walk you through a quick checklist of four things to do as you're getting started with us.

1. Create a Bugcrowd Researcher account

Before you can report bugs and be rewarded for your findings, you need to create a Bugcrowd account. Your Bugcrowd account also comes with a profile which can be made public (or private), enabling you to show-off your skills and accomplishments to security peers and industry professionals.

2. Pick a bug bounty (or several!)

Bugcrowd has many public Bug Bounties that you can hack on and find security vulnerabilities in, with many of them paying out cash as rewards. Each bounty page has all of the details you need to start testing, including a list of targets, finding types that are in-scope and out of scope (or excluded) from the bounty, and many programs will list the pay rewards that they pay out.

3. Begin testing

If you're new to bug bounties you may be interested in reading some guides and articles from our researcher community. If you have any questions or need help, join the Bugcrowd Forum and post your question.

4. Report a Bug

Once you've found a security vulnerability in a bounty program, click the "Report Bug" button on the bounty program page.

After you've reported a bug you will receive a response from Bugcrowd or the customer that is managing the bounty program. If you don't receive a response within several days, please email us at support@bugcrowd.comand we will help you out. 

5. Fill out your profile

Make sure to fill out your profile information to tell the community a bit more about yourself. Many people use this page to show off their skills, as well as link to their personal websites & twitter accounts. 

6. Say hello

The Bugcrowd community team is here to make sure your bounty hunting experience is an awesome one. Whether you need help, have ideas or just want to say hello, we'll get back to you as soon as we can.

• Tweet us at @Bugcrowd and @bugcrowdOps
• IRC at irc.freenode.com in the #bugcrowd channel.
• Join the Bugcrowd community forum
• Have a question for Bugcrowd staff? Email support@bugcrowd.com

Valid and accepted bugs submitted to a paid bounty program will result in a payment to your account. After your bug is accepted by the program owner, your reward will be paid out the following Friday. Bugcrowd currently supports payments via Paypal and Payoneer.

Researcher payouts are distributed every Friday and will be paid out via Paypal. Please make sure to add your Paypal account's email address to your Bugcrowd researcher account settings.

If you would like to receive your payouts via Payoneer, please email support@bugcrowd.com with "Payoneer" in the subject-line.

Bug submissions that affect singular users, require interaction or significant prerequisites to trigger, non-exploitable weaknesses and "won't fix" vulnerabilities all will receive a low priority rating.

Please read this Bugcrowd blog article to learn more about our vulnerability prioritization model.

Sometimes there can be delays in the confirmation of bug submissions. Bugcrowd works hard with our customers to speed up the confirmation process. Response time can vary, typically programs that are Bugcrowd Managed (signified by a Bugcrowd "b" logo on the 'Report Bug' button) have a faster response time.

If you have submitted a bug to a Bugcrowd Managed program and have been waiting for more than two weeks for your bug confirmation, please send an email to support@bugcrowd.com and make sure to include your Bug Reference ID in your email.

Congratulations on receiving an invite to a private program! Invitations are sent out based on researcher performance, so great job on receiving one.

The private invitation email that you received will include the start date and time for the program, the prize pool, number of researchers invited, and the end date and time.

Login to Bugcrowd and go to the Invited Programs page when the private program is going to start. From there you can accept the invitation and begin work on the private program.

The Bugcrowd Researcher Leaderboard is updated at the beginning of every month. A researcher's rank on the leaderboard is based on their total number of kudos points earned over all-time and over the previous month.

Kudos points are rewarded to researchers who submit valid vulnerability reports to programs on Bugcrowd. Read our crowd performance blog post to learn more about how kudos points are rewarded and calculated.

All researchers must adhere to the responsible disclosure guidelines that are outlined in the bounty program's details and rules sections. Bugcrowd's Disclosure policies apply to all submissions made through the Bugcrowd platform, including Duplicates, Out of Scope, and Not Applicable submissions. Customers may select Nondisclosure, Coordinated Disclosure, or Custom Disclosure policies to be applied to their program brief. Please refer to https://researcherdocs.bugcrowd.com/docs/disclosure for details on the different Public Disclosure Policies at Bugcrowd.

Improper disclosure can result in the researcher being removed from a program and can even result in removal from the Bugcrowd platform.

If you have any questions about a program's disclosure policy or process, please email support@bugcrowd.com and we will be happy to assist you.

You can view a program's average response time on the program page's top-right panel. This information can only be viewed when logged-in as a Bugcrowd researcher.

Response time can vary by program, programs that are managed by Bugcrowd typically have a faster response time. Bugcrowd managed programs will have a small Bugcrowd "B" logo on the 'Report Bug' button for the program.

Acceptance Rate is best explained as a comparison of valid to invalid reports.  For those that are interested in the details:

Let X = The count of all your valid and duplicate submissions, including P5 won’t-fix

Let Y = The total count of all your submissions, excluding any marked ‘not applicable’,  have not yet been reviewed, or have only been triaged but not confirmed.

Acceptance Rate = (X / Y) * 100

It’s a simple ratio of all of your accepted submissions to date, versus all submissions you’ve ever made. We exclude ‘not applicable’ submissions, which are those that have been marked by us or a customer as having been made in genuine and well-intentioned error. (And obviously we don’t include submissions that haven’t been finalized yet!)

Average Priority is the average priority level of bugs that are submitted by a researcher. This is based on our P1-P5 scoring system, a lower average score number is better than a high score.

You can read more about how we measure crowd performance on the Bugcrowd blog.

Kudos points are rewarded to researchers for each accepted valid bug that is submitted. Each bug is rated on a priority scale of P1 - P5, with points rewarded accordingly.

P1 – Critical – 40 points
P2 – High – 20 points
P3 – Moderate – 10 points
P4 – Low – 5 points
P5 – Won’t Fix – 0 points

Points are also rewarded to duplicate bugs based on issue severity. Points are rewarded when the original bug is accepted by the program owner.

Duplicates: 

P1 – Critical – 10 points
P2 – High – 5 points
P3 – Moderate – 2 points
P4 – Low – 1 points
P5 – Won’t Fix – 0 points

Private programs are invitation-only, meaning that researchers can only receive access if they are directly invited by Bugcrowd's Researcher Operations team. Invites are distributed based on several criteria, including the researcher's ability to report high quality, high impact vulnerabilities to customers and the researcher's recent activity on the platform.

It's important to note that we invite both new researchers and long-time researchers to private programs, so make sure to always strive for a high level of quality and priority for your bug submissions.

Please read the Bugcrowd blog for more information on private bounty program invitations.

At Bugcrowd, we're working to make sure quality of reports stays high.

Here are some quick suggestions that can help improve many submissions, resulting in higher payouts and acceptance rates:

1. Capitalization and clear explanations. We can't stress how important it is to write out clear descriptions of issues. If you don't spend the time on your submission, it's unlikely the program owner will spend time on reading it.

2. Well documented and clear attack scenarios. Attack scenarios tell the program owner why they should care. For example, you can say something like:

   "This vulnerability affects all users of your forum. When a user signs up, and enters a username of XYZ@Customer.comand a password of XYZ@Customer.com, then his username is accepted. An attacker could use this vulnerability in conjunction with a username enumeration issue to bruteforce forum usernames and passwords"

For more info on writing great attack scenarios, see this resource.

1. Sometimes people write "hope you people fix this" vs saying "Thanks 
   for your time!". We prefer politeness and respect in our community, 
   so make sure to say "thank you" for taking the time!

We find that researchers that take these suggestions in mind have more success, which means you will be more likely to have your submissions accepted and get paid.

Also, make sure to enter your Paypal email address so we can get you paid when you have a submission accepted.

Several links to have a look at:

• Advice for writing a great vulnerability report
  

• How to write a good vulnerability submission
  

• List of great tutorials for various types of exploits and vulnerabilities

• Join the Bugcrowd Forum and chat with other researchers

If you have any questions at all, feel free to reach out to support@bugcrowd.com

Many researchers have different strategies to avoid "duplicates", aka bugs that have been reported previously by researchers. Since bounty programs only reward unique vulnerabilities that haven't been reported by others previously, it's important to try to report bugs that haven't been submitted by others.

Over time you will likely create your own strategy to avoid duplicates, oftentimes this includes finding a niche of vulnerability types that you're especially good at finding, going after bug bounty programs that have just recently launched, and avoiding common bugs that will have been found by others.

For a more exhaustive list of strategies to avoid reporting duplicate bugs, please read this thread on the Bugcrowd Forum.

A valid bug is a security vulnerability that is in-scope for the bounty program and can be reproduced and tested by the program owner. Always make sure that you've found a bug on a target that is in-scope for the bounty program and that the bug is a vulnerability type that the program owner has listed as in-scope.

Read Bugcrowd's Tips for Successful Bug Submissions for more best practices that can help increase your liklihood of success.

Duplicate bugs are vulnerabilities that have been reported previously by researchers. Since bounty programs only reward unique vulnerabilities that haven't been reported by others previously, it's important to try to report bugs that haven't been submitted by others.

We encourage researchers to include a video or screenshot Proof-of-Concept in their submissions. To include a video in your submission, please do so in the platform via these steps.

For all Bugcrowd managed programs we have a contract with the customer. This contract details that we have permission to manage the program and hence view data on submissions. Managed programs are usually preferred by Bugcrowd clients as they offer the opportunity to extend their limited security resources. These managed services come in two types; Triage and Validation. In Triage, Bugcrowd engineers and technology de-duplicate findings, remove out-of-scopes findings, and assign estimated priority levels to each bug. On a validation programs, we do the same but actually reproduce submissions and provide extra services based around that.

• Sign up to join the Bugcrowd security researchers
• Find a bug in one of our bounties and submit it through Crowdcontrol
• If you hold a CISSP, CSSLP, SSCP or CSSLP holder enter your (ISC)2 member number and the approximate time spent finding the bug in the bug submission form
• The time spent on any submission which is valid and doesn’t result in a payment (i.e. any charity bounty, and non-first valid findings in a paid bounty) is a valid CPE activity
• If your submission is valid, at the end of each month, we’ll submit your contribution for that month to (ISC)2

Watch our video with (ISC)2 explaining their CPE program.