How to understand a program's scope and get rewarded
Scopes and rewards are at the core of a Bug Bounty program:
- Scopes: What is to be tested
- Rewards: How much you can expect if you find a valid bug
The scope is the key of any Bug Bounty project : What can be tested?
All assets that are in the scope of a given Bug Bounty Program are listed here:
This list is important to know what you are allowed to test in the framework of this program.
It is also to be understood as the only assets that are eligible for a reward if a (valid) vulnerability is found.
Rewards will depend on 2 criterias:
- Final CVSS score after company's assessment
- Applicable reward grid for the vulnerable scope
Reward grids are defined as maximum reward per severity level.
In this example:
If you find a vulnerability that is scored 7.5 (High) on https://sensitive.example.com, you might get rewarded up to 2000€
In this example, the program managers decided to apply a fine grain analysis and reward this report with 1200€, when a 8.6 (High) report would have been granted the max reward (2000€).
Some organisations will always pay the max reward for a given severity, when others might use different tiers and tresholds to better reflect their risk assessment.