Skip to main content

Organisations' Scopes & Rewards

Define scopes to be tested, how important they are, and what rewards can be expected by our Hunters

Updated over a week ago

Program Scopes

In a Bug Bounty program, a Scope is an asset that will be tested by the Hunters invited on your program.

This is the core of your program and you should spend time to define it.

Tips & Best practices

Clearly list what is in-scope; but also what is out of scope. A best practice is to indicate that every domain, or subdomain, not listed in the scopes is out of scope.

What scopes may include

  • Web applications

  • Mobile applications (iOS and/or Android)

  • APIs

  • Desktop software

  • IoT devices

  • Firmware

  • IP addresses

  • Cloud infrastructure or third-party services

  • Etc.

Make sure each component is clearly identified to optimize your program and your security testing strategy. For example:

  • Does your application rely on a separate authentication subdomain?

  • Is there a public or a private API?

  • Should mobile back-end be in scope?

ℹ️ Don’t know where to start? Take a look at our Asset Security Management module to map your attack surface by discovering unknown assets.

Asset Values

YesWeHack offers the possibility to define an Asset Value for each asset of a program. These values range from Low to Critical and to reflect the importance of this asset for your business.

They are also taken into account in your reward grid for Hunters.

Adding Scopes

  • Go to “Admin Panel”

  • Select a program and click on “Edit”

  • In the Bug Bounty Description, click on “+ Add Scope”

  • Fill in the scope, its type, and business value

ℹ️ You can add as many scopes as you need. Keep them clear and well-organized to help Hunters understand what to test. Don’t hesitate to reach out to your Customer Success Manager for guidance on program scopes.

ℹ️ Anything not listed is considered out-of-scope by default. If there are specific exclusions (e.g., third-party services, test environments), clearly list them.

Hunters' Rewards

When a report is submitted, our triage team checks if it's reproducible, valid, and in scope.

If it meets all criteria, the triage team will provide the organisation with reward suggestions based on the CVSS score and your program’s reward grid.

The final decision on the reward is always made by the organisation.

Set the reward grid

In your program edition, you can define several rewards depending on the asset business value and the CVSS value:

This grid automatically updates to include the rows matching your existing assets business values. For instance, if you only have “Medium” business value assets, you will only see one row in this reward grid.

The rewards are then clearly displayed to Hunters:

Related Articles
Scopes & Reward Grid
Hunter collaboration
Leaderboard
Bug Bounty program creation
Vulnerability Reports
Did this answer your question?